CVE-2024-9180

EPSS 0.27%
Published 10.10.2024 21:15:05
Last modified 18.10.2024 20:15:03
Source security@hashicorp.com
Teams watchlist Login
Open Login

A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Hashicorp ≫ Vault SwEditionenterprise Version >= 1.7.7 <= 1.17.7

Hashicorp ≫ Vault SwEdition- Version >= 1.7.7 < 1.18.0

Hashicorp ≫ Vault SwEditionenterprise Version >= 1.15.0 < 1.15.16

Hashicorp ≫ Vault SwEditionenterprise Version >= 1.16.0 < 1.16.11

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.27%	0.507

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security@hashicorp.com	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-266 Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-9180

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-9180

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-9180

EUVD