DirectorySecurity Advisories
Sign In
Security Advisories

CGA-pjh7-h2pj-2vc2

Published

Last updated

https://images.chainguard.dev/security/CGA-pjh7-h2pj-2vc2
Package

vault-1.14

Latest Update
Not affected
Aliases
  • CVE-2023-24999
  • GHSA-wmg5-g953-qqfw

Severity

8.1

High

CVSS V3

Summary

Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation

Description

When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999, has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.

References

Updates


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images