6.8

CVE-2024-2660

Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HashicorpVault SwEditionenterprise Version >= 1.14.0 < 1.14.11
HashicorpVault SwEdition- Version >= 1.14.0 < 1.16.0
HashicorpVault SwEditionenterprise Version >= 1.15.0 < 1.15.7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.7% 0.72
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 0.9 5.9
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security@hashicorp.com 6.4 0.5 5.9
CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-636 Not Failing Securely ('Failing Open')

When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.