2315013 – (CVE-2024-7594) CVE-2024-7594 hashicorp/vault: Vault SSH secrets engine configuration did not restrict valid principals by default

Bug 2315013 (CVE-2024-7594) - CVE-2024-7594 hashicorp/vault: Vault SSH secrets engine configuration did not restrict valid principals by default

Summary: CVE-2024-7594 hashicorp/vault: Vault SSH secrets engine configuration did not...

Keywords:
Status:	NEW
Alias:	CVE-2024-7594
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-09-26 20:20 UTC by OSIDB Bzimport
Modified:	2025-03-11 06:09 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-09-26 20:20:36 UTC

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.

Note You need to log in before you can comment on or make changes to this bug.