Base Score

MEDIUM6.8

CVE-2024-2660

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

VectorADJACENT_NETWORK

Published Bysecurity@hashicorp.com

Published DateApr 04, 2024, 18:15

Affected Versions(1)

github.com/hashicorp/vault(Go)

Introduced0

Fixed1.16.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/hashicorp/vault(Go)	0	1.16.0	N/A

Weakness Type (CWE):CWE-636

CVSS Metrics

Base Score

6.8

Vector String

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

ADJACENT_NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

Base Score

MEDIUM6.8

Weakness Type (CWE):CWE-636

CVSS Metrics

Base Score

6.8

Vector String

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

ADJACENT_NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH