{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-2660", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2024-03-19T17:34:27.401Z", "datePublished": "2024-04-04T17:55:20.192Z", "dateUpdated": "2024-04-04T17:55:20.192Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"lessThan": "1.16.0", "status": "affected", "version": "1.14.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault Enterprise", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"changes": [{"at": "1.14.11", "status": "unaffected"}, {"at": "1.15.7", "status": "unaffected"}], "lessThan": "1.16.0", "status": "affected", "version": "1.14.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11."}], "value": "Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11."}], "impacts": [{"capecId": "CAPEC-26", "descriptions": [{"lang": "en", "value": "CAPEC-26: Leveraging Race Conditions"}]}], "metrics": [{"cvssV3_1": {"baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-703", "description": "CWE-703: Improper Check or Handling of Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2024-04-04T17:55:20.192Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573"}, {"url": "https://security.netapp.com/advisory/ntap-20240524-0007/"}], "source": {"advisory": "HCSEC-2024-07", "discovery": "INTERNAL"}, "title": "Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2660", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-09T16:05:40.204182Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:29:09.743Z"}}]}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11."}, {"lang": "es", "value": "El m\u00e9todo de autenticaci\u00f3n de los certificados TLS de Vault y Vault Enterprise no validaba correctamente las respuestas de OCSP cuando se configuraban uno o m\u00e1s or\u00edgenes de OCSP. Se corrigi\u00f3 en Vault 1.16.0 y Vault Enterprise 1.16.1, 1.15.7 y 1.14.11."}], "id": "CVE-2024-2660", "lastModified": "2024-06-10T17:16:25.443", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2024-04-04T18:15:14.783", "references": [{"source": "security@hashicorp.com", "url": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573"}, {"source": "security@hashicorp.com", "url": "https://security.netapp.com/advisory/ntap-20240524-0007/"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-703"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{}