Bug 2262236 (CVE-2024-0831)

Summary: CVE-2024-0831 hashicorp vault: sensitive information disclosure
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, dfreiber, drow, jburrell, jkoehler, mrajanna, muagarwa, nbecker, odf-bz-bot, sapillai, tnielsen, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A sensitive information disclosure vulnerability was found in Hashicorp Vault. Enabling an audit device that specifies the `log_raw` option may log sensitive information to oth
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2262243, 2262244, 2262245, 2262246, 2262247, 2262248, 2262249, 2262250, 2262251    
Bug Blocks: 2262242    

Description ybuenos 2024-02-01 11:21:56 UTC 
Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.

https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration
https://link-to-discuss
Comment 3 Vipul Nair 2024-04-08 09:03:53 UTC 
openshift-container-storage-4 used hashicorp vault 1.4 and above