CVE-2024-2660 (GCVE-0-2024-2660)

Vulnerability from cvelistv5 – Published: 2024-04-04 17:55 – Updated: 2024-09-26 00:13
VLAI?
Title
Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses
Summary
Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.
Severity ?
6.4 (Medium)
CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-636 - Not Failing Securely (Failing Open)
Assigner
References
Impacted products
Vendor Product Version
HashiCorp Vault Affected: 1.14.0 , < 1.16.0 (semver)
Create a notification for this product.
    HashiCorp Vault Enterprise Affected: 1.14.0 , < 1.16.0 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-2660",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-09T16:05:40.204182Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:29:09.743Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T19:18:48.125Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240524-0007/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "lessThan": "1.16.0",
              "status": "affected",
              "version": "1.14.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault Enterprise",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.14.11",
                  "status": "unaffected"
                },
                {
                  "at": "1.15.7",
                  "status": "unaffected"
                }
              ],
              "lessThan": "1.16.0",
              "status": "affected",
              "version": "1.14.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eVault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.\u003c/p\u003e\u003cbr/\u003e"
            }
          ],
          "value": "Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-26",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-26: Leveraging Race Conditions"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-636",
              "description": "CWE-636: Not Failing Securely (Failing Open)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-26T00:13:17.242Z",
        "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "shortName": "HashiCorp"
      },
      "references": [
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573"
        }
      ],
      "source": {
        "advisory": "HCSEC-2024-07",
        "discovery": "INTERNAL"
      },
      "title": "Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
    "assignerShortName": "HashiCorp",
    "cveId": "CVE-2024-2660",
    "datePublished": "2024-04-04T17:55:20.192Z",
    "dateReserved": "2024-03-19T17:34:27.401Z",
    "dateUpdated": "2024-09-26T00:13:17.242Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.\"}, {\"lang\": \"es\", \"value\": \"El m\\u00e9todo de autenticaci\\u00f3n de los certificados TLS de Vault y Vault Enterprise no validaba correctamente las respuestas de OCSP cuando se configuraban uno o m\\u00e1s or\\u00edgenes de OCSP. Se corrigi\\u00f3 en Vault 1.16.0 y Vault Enterprise 1.16.1, 1.15.7 y 1.14.11.\"}]",
      "id": "CVE-2024-2660",
      "lastModified": "2024-11-21T09:10:13.993",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@hashicorp.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 6.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.5, \"impactScore\": 5.9}]}",
      "published": "2024-04-04T18:15:14.783",
      "references": "[{\"url\": \"https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573\", \"source\": \"security@hashicorp.com\"}, {\"url\": \"https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240524-0007/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@hashicorp.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security@hashicorp.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-636\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-2660\",\"sourceIdentifier\":\"security@hashicorp.com\",\"published\":\"2024-04-04T18:15:14.783\",\"lastModified\":\"2025-08-08T19:00:18.940\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.\"},{\"lang\":\"es\",\"value\":\"El m\u00e9todo de autenticaci\u00f3n de los certificados TLS de Vault y Vault Enterprise no validaba correctamente las respuestas de OCSP cuando se configuraban uno o m\u00e1s or\u00edgenes de OCSP. Se corrigi\u00f3 en Vault 1.16.0 y Vault Enterprise 1.16.1, 1.15.7 y 1.14.11.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@hashicorp.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.5,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@hashicorp.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-636\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"1.14.0\",\"versionEndExcluding\":\"1.14.11\",\"matchCriteriaId\":\"2E2AB795-72DA-4047-B600-A43AD9B8AF52\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"1.14.0\",\"versionEndExcluding\":\"1.16.0\",\"matchCriteriaId\":\"FA85F169-F4FE-4280-A6C9-7BCFB08999F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"1.15.0\",\"versionEndExcluding\":\"1.15.7\",\"matchCriteriaId\":\"77F82E35-73F4-42BF-9A7F-4D095ECAAFEE\"}]}]}],\"references\":[{\"url\":\"https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573\",\"source\":\"security@hashicorp.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240524-0007/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240524-0007/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T19:18:48.125Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-2660\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-09T16:05:40.204182Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:22.689Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses\", \"source\": {\"advisory\": \"HCSEC-2024-07\", \"discovery\": \"INTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-26\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-26: Leveraging Race Conditions\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 6.4, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/hashicorp/vault\", \"vendor\": \"HashiCorp\", \"product\": \"Vault\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.14.0\", \"lessThan\": \"1.16.0\", \"versionType\": \"semver\"}], \"platforms\": [\"64 bit\", \"32 bit\", \"x86\", \"ARM\", \"MacOS\", \"Windows\", \"Linux\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://github.com/hashicorp/vault\", \"vendor\": \"HashiCorp\", \"product\": \"Vault Enterprise\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"1.14.11\", \"status\": \"unaffected\"}, {\"at\": \"1.15.7\", \"status\": \"unaffected\"}], \"version\": \"1.14.0\", \"lessThan\": \"1.16.0\", \"versionType\": \"semver\"}], \"platforms\": [\"64 bit\", \"32 bit\", \"x86\", \"ARM\", \"MacOS\", \"Windows\", \"Linux\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eVault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.\u003c/p\u003e\u003cbr/\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-636\", \"description\": \"CWE-636: Not Failing Securely (Failing Open)\"}]}], \"providerMetadata\": {\"orgId\": \"67fedba0-ff2e-4543-ba5b-aa93e87718cc\", \"shortName\": \"HashiCorp\", \"dateUpdated\": \"2024-09-26T00:13:17.242Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-2660\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-26T00:13:17.242Z\", \"dateReserved\": \"2024-03-19T17:34:27.401Z\", \"assignerOrgId\": \"67fedba0-ff2e-4543-ba5b-aa93e87718cc\", \"datePublished\": \"2024-04-04T17:55:20.192Z\", \"assignerShortName\": \"HashiCorp\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.