Security context
Low· 2.6GHSA-32cj-5wx4-gq8p CVE-2024-5798CWE-285Published Jun 12, 2024

HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

1.17.0-rc1 → fixed in 1.17.01.16.0-rc1 → fixed in 1.16.30.11.0 → fixed in 1.15.9

Details

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected. This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9

The fix

No fix commit could be resolved for this advisory (it may reference an issue tracker or a non-GitHub patch). See the references below.

References