Miggo Logo
Miggo Vulnerability Database
CVE-2024-0831

CVE-2024-0831: Hashicorp Vault may expose sensitive log information

4.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-0831
GHSA ID
GHSA-vgh3-mwxq-rcp8
EPSS Score
0.40642%
CWE
CWE-532
Published
2/1/2024
Updated
2/23/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/vaultgo>= 1.15.0, < 1.15.51.15.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how audit events were processed. The key changes in the patch show:

  1. The payload type changed from *auditEvent to *AuditEvent (indicating structural changes)
  2. A new AuditEvent (a2) is created with cloned data instead of using the original payload
  3. A new eventlogger.Event (e2) is created for output instead of modifying the input event

This demonstrates the original code processed events in a way that allowed cross-contamination between audit devices. The EntryFormatter.Process function was responsible for formatting audit data and passed the modified event to subsequent sinks, meaning any device with 'log_raw' enabled would leave raw data in the shared event payload that other devices could access.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*ult *n* V*ult *nt*rpris* (“V*ult”) m*y *xpos* s*nsitiv* in*orm*tion w**n *n**lin* *n *u*it **vi** w*i** sp**i*i*s t** `lo*_r*w` option, w*i** m*y lo* s*nsitiv* in*orm*tion to ot**r *u*it **vi**s, r***r*l*ss o* w**t**r t**y *r* *on*i*ur** to us* `lo

Reasoning

T** vuln*r**ility st*ms *rom *ow *u*it *v*nts w*r* pro**ss**. T** k*y ***n**s in t** p*t** s*ow: *. T** p*ylo** typ* ***n*** *rom **u*it*v*nt to **u*it*v*nt (in*i**tin* stru*tur*l ***n**s) *. * n*w *u*it*v*nt (**) is *r**t** wit* *lon** **t* inst***
CVE-2024-0831: Vault Audit Log Raw Data Leak | Miggo