CVE-2024-5798 — Vulnetix

CVE-2024-5798 PUBLISHED

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected. This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9

EPSS 0.28% · 51.9th percentile

Risk Scores

EPSS Score

0.28%

51.9th percentile

Affected Products

Vendor	Product	Versions
Bitnami	vault	0.11.0
Bitnami	vault	0.11.0

Timeline

Jun 12, 2024 CVE Published
Jun 13, 2024 EPSS Score
Jul 6, 2024 EPSS Score
Jul 29, 2024 EPSS Score
Aug 21, 2024 EPSS Score
Sep 13, 2024 EPSS Score
Oct 5, 2024 EPSS Score
Oct 5, 2024 Coalition ESS Score
Oct 28, 2024 EPSS Score
Nov 20, 2024 EPSS Score
Dec 14, 2024 EPSS Score
Jan 6, 2025 EPSS Score

References

https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770 url
https://nvd.nist.gov/vuln/detail/CVE-2024-5798 url

Open in Interactive Console →