CVE-2024-2660

low-risk
Published 2024-04-04

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

Do I need to act?

-
0.60% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.4/10 Medium
ADJACENT_NETWORK / HIGH complexity

Affected Products (2)

Affected Vendors

Hashicorp

References (3)

Vendor Advisory https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not...
Vendor Advisory https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not...
Third Party Advisory https://security.netapp.com/advisory/ntap-20240524-0007/
26
/ 100
low-risk
Severity 17/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 7/34 · Low