x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-jjxf-26c9-77gm

Advisory [GHSA-jjxf-26c9-77gm](https://github.com/advisories/GHSA-jjxf-26c9-77gm) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/hashicorp/vault](https://pkg.go.dev/github.com/hashicorp/vault) |

Description:
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

References:
- ADVISORY: https://github.com/advisories/GHSA-jjxf-26c9-77gm
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-8365
- WEB: https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices

Cross references:
- github.com/hashicorp/vault appears in 33 other report(s):
  - data/reports/GO-2022-0578.yaml    (https://github.com/golang/vulndb/issues/578)
  - data/reports/GO-2022-0590.yaml    (https://github.com/golang/vulndb/issues/590)
  - data/reports/GO-2022-0611.yaml    (https://github.com/golang/vulndb/issues/611)
  - data/reports/GO-2022-0618.yaml    (https://github.com/golang/vulndb/issues/618)
  - data/reports/GO-2022-0620.yaml    (https://github.com/golang/vulndb/issues/620)
  - data/reports/GO-2022-0623.yaml    (https://github.com/golang/vulndb/issues/623)
  - data/reports/GO-2022-0632.yaml    (https://github.com/golang/vulndb/issues/632)
  - data/reports/GO-2022-0778.yaml    (https://github.com/golang/vulndb/issues/778)
  - data/reports/GO-2022-0816.yaml    (https://github.com/golang/vulndb/issues/816)
  - data/reports/GO-2022-0825.yaml    (https://github.com/golang/vulndb/issues/825)
  - data/reports/GO-2022-1021.yaml    (https://github.com/golang/vulndb/issues/1021)
  - data/reports/GO-2023-1685.yaml    (https://github.com/golang/vulndb/issues/1685)
  - data/reports/GO-2023-1708.yaml    (https://github.com/golang/vulndb/issues/1708)
  - data/reports/GO-2023-1709.yaml    (https://github.com/golang/vulndb/issues/1709)
  - data/reports/GO-2023-1849.yaml    (https://github.com/golang/vulndb/issues/1849)
  - data/reports/GO-2023-1897.yaml    (https://github.com/golang/vulndb/issues/1897)
  - data/reports/GO-2023-1900.yaml    (https://github.com/golang/vulndb/issues/1900)
  - data/reports/GO-2023-1986.yaml    (https://github.com/golang/vulndb/issues/1986)
  - data/reports/GO-2023-2063.yaml    (https://github.com/golang/vulndb/issues/2063)
  - data/reports/GO-2023-2088.yaml    (https://github.com/golang/vulndb/issues/2088)
  - data/reports/GO-2023-2329.yaml    (https://github.com/golang/vulndb/issues/2329)
  - data/reports/GO-2023-2399.yaml    (https://github.com/golang/vulndb/issues/2399)
  - data/reports/GO-2024-2485.yaml    (https://github.com/golang/vulndb/issues/2485)
  - data/reports/GO-2024-2486.yaml    (https://github.com/golang/vulndb/issues/2486)
  - data/reports/GO-2024-2488.yaml    (https://github.com/golang/vulndb/issues/2488)
  - data/reports/GO-2024-2508.yaml    (https://github.com/golang/vulndb/issues/2508)
  - data/reports/GO-2024-2509.yaml    (https://github.com/golang/vulndb/issues/2509)
  - data/reports/GO-2024-2511.yaml    (https://github.com/golang/vulndb/issues/2511)
  - data/reports/GO-2024-2514.yaml    (https://github.com/golang/vulndb/issues/2514)
  - data/reports/GO-2024-2617.yaml    (https://github.com/golang/vulndb/issues/2617)
  - data/reports/GO-2024-2690.yaml    (https://github.com/golang/vulndb/issues/2690)
  - data/reports/GO-2024-2921.yaml    (https://github.com/golang/vulndb/issues/2921)
  - data/reports/GO-2024-2982.yaml    (https://github.com/golang/vulndb/issues/2982)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/vault
      versions:
        - introduced: 1.17.3
        - fixed: 1.17.5
      vulnerable_at: 1.17.4
summary: Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault
cves:
    - CVE-2024-8365
ghsas:
    - GHSA-jjxf-26c9-77gm
references:
    - advisory: https://github.com/advisories/GHSA-jjxf-26c9-77gm
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8365
    - web: https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices
source:
    id: GHSA-jjxf-26c9-77gm
    created: 2024-09-03T21:01:29.917801356Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-jjxf-26c9-77gm #3113

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-jjxf-26c9-77gm #3113

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions