CVE-2024-6468
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
11/07/2024
Last modified:
13/08/2025
Description
Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service.<br />
<br />
While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur.<br />
<br />
Fixed in Vault and Vault Enterprise 1.17.2, 1.16.6, and 1.15.12.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* | 1.10.0 (including) | 1.15.12 (excluding) |
| cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* | 1.10.0 (including) | 1.15.12 (excluding) |
| cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* | 1.16.0 (including) | 1.16.6 (excluding) |
| cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* | 1.16.0 (including) | 1.16.6 (excluding) |
| cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* | 1.17.0 (including) | 1.17.2 (excluding) |
| cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* | 1.17.0 (including) | 1.17.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page