CVE-2024-2660: HashiCorpVault does not correctly validate OCSP responses

April 4, 2024 (updated September 26, 2024)

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

References

discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573
github.com/advisories/GHSA-j2rp-gmqv-frhv
github.com/hashicorp/vault
nvd.nist.gov/vuln/detail/CVE-2024-2660
security.netapp.com/advisory/ntap-20240524-0007

Detect and mitigate CVE-2024-2660 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →