CVE-2024-0831: 
HashiCorp Vault vulnerability analysis and mitigation

HashiCorp Vault and Vault Enterprise versions 1.15.0 through 1.15.4 contain a vulnerability (CVE-2024-0831) that could expose sensitive information when configuring audit devices. The vulnerability was discovered by the Vault engineering team and was fixed in version 1.15.5. The issue affects the audit device configuration when using the log_raw option (HashiCorp Advisory).

The vulnerability occurs when enabling an audit device with the log_raw option set to true. In affected versions, instead of applying only to the specified audit device, the log_raw setting is applied globally to all configured audit devices in the Vault deployment. This results in sensitive data being logged in clear text across all audit devices, regardless of their individual configurations. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

When exploited, this vulnerability could lead to the disclosure of sensitive information in audit logs where such data should have been hashed. Normally, sensitive information like passwords should be hashed using HMAC-SHA256 with a salt, but the vulnerability causes this data to be logged in its raw format across all audit devices, potentially exposing confidential information (HashiCorp Docs).

Organizations should upgrade to Vault version 1.15.5 or newer to address this vulnerability. For systems running vulnerable versions, it is recommended to disable any audit devices that use the log_raw option. Additionally, organizations should evaluate their audit logs for any sensitive data that may have been captured and consider appropriate actions such as rotation or revocation if necessary (HashiCorp Advisory).