CVE-2024-5798

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-5798

CGA ID

CGA-ccrf-775v-573j

Severity

2.6

Low

CVSS V3

Summary

HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims

Description

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected.

This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9

References

https://images.chainguard.dev/security/CGA-ccrf-775v-573j
https://github.com/advisories/GHSA-32cj-5wx4-gq8p
https://nvd.nist.gov/vuln/detail/CVE-2024-5798
https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770
https://github.com/hashicorp/vault

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CVE-2024-5798

Severity

Summary

Description

References

Affected packages

Products

Why Chainguard

Customers

Company

Resources