DirectorySecurity Advisories
Sign In
Security Advisories

CGA-g5pv-vx8r-835j

Published

Last updated

https://images.chainguard.dev/security/CGA-g5pv-vx8r-835j
Package

vault-1.16

Latest Update
Not affected
Aliases
  • CVE-2023-24999
  • GHSA-wmg5-g953-qqfw

Severity

8.1

High

CVSS V3

Summary

Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation

Description

When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999, has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.

References

Updates

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogResearchEventsTrust CenterDocumentation