CVE-2024-2048: Incorrect TLS certificate auth method in Vault

March 4, 2024 (updated March 6, 2024)

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10.

References

discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-auth-method-did-not-correctly-validate-non-ca-certificates/63382
github.com/advisories/GHSA-r3w7-mfpm-c2vw
github.com/hashicorp/vault
nvd.nist.gov/vuln/detail/CVE-2024-2048

Detect and mitigate CVE-2024-2048 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →