CVE-2024-2048 — Vulnetix

CVE-2024-2048 PUBLISHED

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10.

EPSS 0.25% · 48.8th percentile

Risk Scores

EPSS Score

0.25%

48.8th percentile

Affected Products

Vendor	Product	Versions
Bitnami	vault	1.15.5
Bitnami	vault	1.15.5

Timeline

Mar 4, 2024 CVE Published
Mar 5, 2024 EPSS Score
Mar 31, 2024 EPSS Score
Apr 26, 2024 EPSS Score
May 23, 2024 EPSS Score
Jun 18, 2024 EPSS Score
Jul 14, 2024 EPSS Score
Aug 13, 2024 EPSS Score
Sep 8, 2024 EPSS Score
Oct 4, 2024 Coalition ESS Score
Oct 5, 2024 EPSS Score
Oct 31, 2024 EPSS Score

References

https://discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-auth-method-did-not-correctly-validate-non-ca-certificates/63382 url
https://security.netapp.com/advisory/ntap-20240524-0009/ url
https://nvd.nist.gov/vuln/detail/CVE-2024-2048 url

Open in Interactive Console →