We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-7594

Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default



Description

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.

Reserved 2024-08-07 | Published 2024-09-26 | Updated 2024-09-26 | Assigner HashiCorp


HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-732: Incorrect Permission Assignment for Critical Resource

Product status

Default status
unaffected

1.7.7 before 1.17.6
affected

Default status
unaffected

1.7.7 before 1.17.6
affected

References

discuss.hashicorp.com/...t-valid-principals-by-default/70251

cve.org (CVE-2024-7594)

nvd.nist.gov (CVE-2024-7594)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-7594

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.