CVE-2024-2660 Vulnerability Details

  /     /     /  

CVE-2024-2660 Metadata Quick Info

CVE Published: 04/04/2024 | CVE Updated: 26/09/2024 | CVE Year: 2024
Source: HashiCorp | Vendor: HashiCorp | Product: Vault
Status : PUBLISHED

---

CVE-2024-2660 Description

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

Metrics

CVSS Version: 3.1 | Base Score: 6.4 MEDIUM
Vector: CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-636
CWE Name: CWE-636: Not Failing Securely (Failing Open)
Source: HashiCorp

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-26
CAPEC Description: CAPEC-26: Leveraging Race Conditions


Source: NVD (National Vulnerability Database).