-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Aliases: CVE-2024-2048, GHSA-r3w7-mfpm-c2vw Fixes #2617 Change-Id: Ie67b630e60002c213349b90187f6fd47bb0604f5 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/570724 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
- Loading branch information
Maceo Thompson
committed
Mar 14, 2024
1 parent
82d1a75
commit 047945c
Showing
2 changed files
with
74 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| { | ||
| "schema_version": "1.3.1", | ||
| "id": "GO-2024-2617", | ||
| "modified": "0001-01-01T00:00:00Z", | ||
| "published": "0001-01-01T00:00:00Z", | ||
| "aliases": [ | ||
| "CVE-2024-2048", | ||
| "GHSA-r3w7-mfpm-c2vw" | ||
| ], | ||
| "summary": "Authentication bypass in github.com/hashicorp/vault", | ||
| "details": "The TLS certificate authentication method incorrectly validates client certificates when configured with a non-CA certificate as a trusted certificate. When configured this way, attackers may be able to craft a certificate that can be used to bypass authentication.", | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "name": "github.com/hashicorp/vault", | ||
| "ecosystem": "Go" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "SEMVER", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "1.14.10" | ||
| }, | ||
| { | ||
| "introduced": "1.15.0" | ||
| }, | ||
| { | ||
| "fixed": "1.15.5" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "ecosystem_specific": {} | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2048" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-auth-method-did-not-correctly-validate-non-ca-certificates/63382" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "url": "https://pkg.go.dev/vuln/GO-2024-2617" | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| id: GO-2024-2617 | ||
| modules: | ||
| - module: github.com/hashicorp/vault | ||
| versions: | ||
| - fixed: 1.14.10 | ||
| - introduced: 1.15.0 | ||
| fixed: 1.15.5 | ||
| vulnerable_at: 1.15.4 | ||
| summary: Authentication bypass in github.com/hashicorp/vault | ||
| description: |- | ||
| The TLS certificate authentication method incorrectly validates client | ||
| certificates when configured with a non-CA certificate as a trusted certificate. | ||
| When configured this way, attackers may be able to craft a certificate that can | ||
| be used to bypass authentication. | ||
| cves: | ||
| - CVE-2024-2048 | ||
| ghsas: | ||
| - GHSA-r3w7-mfpm-c2vw | ||
| references: | ||
| - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-2048 | ||
| - web: https://discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-auth-method-did-not-correctly-validate-non-ca-certificates/63382 |