CVE-2024-2877
Severity CVSS v4.0:
Pending analysis
Type:
CWE-532
Information Exposure Through Log Files
Publication date:
30/04/2024
Last modified:
08/08/2025
Description
Vault Enterprise, when configured with performance standby nodes and a configured audit device, will inadvertently log request headers on the standby node. These logs may have included sensitive HTTP request information in cleartext.<br />
<br />
This vulnerability, CVE-2024-2877, was fixed in Vault Enterprise 1.15.8.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* | 1.15.0 (including) | 1.15.8 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://discuss.hashicorp.com/t/hsec-2024-10-vault-enterprise-leaks-sensitive-http-request-headers-in-audit-log-when-deployed-with-a-performance-standby-node
- https://security.netapp.com/advisory/ntap-20240614-0002/
- https://discuss.hashicorp.com/t/hsec-2024-10-vault-enterprise-leaks-sensitive-http-request-headers-in-audit-log-when-deployed-with-a-performance-standby-node
- https://security.netapp.com/advisory/ntap-20240614-0002/