2273634 – (CVE-2024-2660) CVE-2024-2660 Vault: Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses

Bug 2273634 (CVE-2024-2660) - CVE-2024-2660 Vault: Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses

Summary: CVE-2024-2660 Vault: Vault TLS Cert Auth Method Did Not Correctly Validate OC...

Keywords:
Status:	NEW
Alias:	CVE-2024-2660
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2273636 2273637 2273638 2273640 2273641 2273635 2273639 2273642
Blocks:
TreeView+	depends on / blocked

Reported:	2024-04-05 12:40 UTC by Avinash Hanwate
Modified:	2024-04-05 18:13 UTC (History)
CC List:	7 users (show)
Fixed In Version:	Vault 1.16.0
Doc Type:	---
Doc Text:	A flaw was found in the OCSP response handling logic of Vault’s TLS certificate authentication method. This issue may result in signatures and responses from multiple servers not being handled properly. A malicious actor with privileged network access may be able to successfully authenticate via Vault’s TLS certificate authentication method with incorrect certificate status information.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2024-04-05 12:40:45 UTC

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573

Note You need to log in before you can comment on or make changes to this bug.