CVE-2024-7594

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-7594

CGA ID

CGA-c4r2-jfwp-c72c

Severity

7.5

High

CVSS V3

Summary

Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default

Description

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.

References

https://images.chainguard.dev/security/CGA-c4r2-jfwp-c72c
https://github.com/advisories/GHSA-jg74-mwgw-v6x3
https://nvd.nist.gov/vuln/detail/CVE-2024-7594
https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/70251
https://github.com/hashicorp/vault
https://pkg.go.dev/vuln/GO-2024-3162
https://security.netapp.com/advisory/ntap-20250110-0007

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2024-7594

Severity

Summary

Description

References

Affected packages

Products

Why Chainguard

Customers

Company

Resources