CVE-2024-2877— Vault Enterprise Leaks Sensitive HTTP Request Headers in the Audit Log When Deployed With a Performance Standby Node
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-2877
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vault Enterprise Leaks Sensitive HTTP Request Headers in the Audit Log When Deployed With a Performance Standby Node
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vault Enterprise, when configured with performance standby nodes and a configured audit device, will inadvertently log request headers on the standby node. These logs may have included sensitive HTTP request information in cleartext. This vulnerability, CVE-2024-2877, was fixed in Vault Enterprise 1.15.8.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过日志文件的信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
HashiCorp Vault Enterprise 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
HashiCorp Vault Enterprise是美国HashiCorp公司的一个企业信息归档平台。可在所有通信平台上捕获信息--将信息从本地无缝迁移到云,并自动识别最相关的内容以确保法规遵从性。 HashiCorp Vault Enterprise 1.15.8之前版本存在安全漏洞,该漏洞源于在配置了性能备用节点和已配置的审核设备时,会无意中在备用节点上记录请求标头,这些日志可能包含明文形式的敏感 HTTP 请求信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| HashiCorp | Vault Enterprise | 1.15.0 ~ 1.15.8 | - |
II. Public POCs for CVE-2024-2877
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-2877
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: HashiCorp
- CVE-2026-7776
Boundary Workers Vulnerable to Denial of Service During TLS - CVE-2026-5807
Vault Vulnerable to Denial-of-Service via Unauthenticated Ro - CVE-2026-4525
Vault Token Leaked to Backends via Authorization: Bearer Pas - CVE-2026-5052
Vault Vulnerable to Server-Side Request Forgery in ACME Chal - CVE-2026-3605
Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial
Same weakness: CWE-532
- CVE-2026-42282
n8n-MCP: Sensitive MCP tool-call arguments logged on authent - CVE-2026-41495
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Req - CVE-2026-41004
VMware Spring Cloud Config 日志信息泄露漏洞 - CVE-2024-30151
HCL BigFix Service Management (SM) is susceptible to Broken - CVE-2026-7824
PaperCut Hive (Ricoh): Plain text password in logs
V. Comments for CVE-2024-2877
No comments yet