CVE-2024-6468— HashiCorp Vault和HashiCorp Vault Enterprise 安全漏洞

Vault Vulnerable to Denial of Service When Setting a Proxy Protocol Behavior

Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service. While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur. Fixed in Vault and Vault Enterprise 1.17.2, 1.16.6, and 1.15.12.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

对异常条件检查或处理不恰当

HashiCorp Vault和HashiCorp Vault Enterprise 安全漏洞

HashiCorp Vault和HashiCorp Vault Enterprise都是美国HashiCorp公司的产品。HashiCorp Vault是一款私钥访问管理工具。HashiCorp Vault Enterprise是一个企业信息归档平台。可在所有通信平台上捕获信息--将信息从本地无缝迁移到云，并自动识别最相关的内容以确保法规遵从性。 HashiCorp Vault和HashiCorp Vault Enterprise 1.10.0至1.15.11版本存在安全漏洞，该漏洞源于未正确处理来自未经

N/A

N/A