CVE-2024-2660 — Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses

Description

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

How to fix CVE-2024-2660

To remediate CVE-2024-2660, upgrade the affected package to a fixed version below.

—upgrade to 1.16.0 or later
—upgrade to 1.16.0 or later
—upgrade to 1.16.0 or later

Is CVE-2024-2660 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 1.14.0, < 1.16.0
from 0, < 1.16.0
from 0, < 1.16.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.4	CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYgithub.com/advisories/GHSA-j2rp-gmqv-frhv
ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-2660
PATCHgithub.com/hashicorp/vault
WEBdiscuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573