Vulnerability Report: GO-2024-2617
- CVE-2024-2048, GHSA-r3w7-mfpm-c2vw
- Affects: github.com/hashicorp/vault
- Published: Mar 14, 2024
- Modified: May 20, 2024
The TLS certificate authentication method incorrectly validates client certificates when configured with a non-CA certificate as a trusted certificate. When configured this way, attackers may be able to craft a certificate that can be used to bypass authentication.
For detailed information about this vulnerability, visit https://nvd.nist.gov/vuln/detail/CVE-2024-2048.
Affected Modules
-
PathGo Versions
-
before v1.14.10, from v1.15.0 before v1.15.5
Aliases
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-2048
- https://discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-auth-method-did-not-correctly-validate-non-ca-certificates/63382
- https://vuln.go.dev/ID/GO-2024-2617.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.