CVE-2024-6468: 
HashiCorp Vault vulnerability analysis and mitigation

CVE-2024-6468 affects Vault and Vault Enterprise, where a vulnerability exists in handling requests from unauthorized IP addresses when using the TCP listener option proxyprotocolbehavior set to deny_unauthorized. The vulnerability was discovered and disclosed on July 11, 2024, affecting versions 1.10.0 through 1.15.11, and has been fixed in versions 1.17.2, 1.16.6, and 1.15.12 (HashiCorp Discussion).

The vulnerability occurs when the proxyprotocolbehavior option in the TCP listener stanza is set to denyunauthorized. When receiving a request from a source IP address not listed in proxyprotocolauthorizedaddrs, instead of properly dropping the denied request, the Vault API would return an unhandled error. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high-severity issue with network accessibility and no required privileges or user interaction (NVD).

When exploited, this vulnerability causes the Vault API service to quit and no longer respond to any HTTP requests, resulting in a denial of service condition. This effectively makes the Vault service unavailable for all users, regardless of their authorization status (HashiCorp Discussion).

Organizations using the proxyprotocolbehavior with the denyunauthorized option in the TCP listener should upgrade to Vault versions 1.17.2, 1.16.6, or 1.15.12. Alternatively, they can consider not using the proxyprotocol_behavior feature entirely. HashiCorp provides guidance for upgrading through their standard upgrade documentation (HashiCorp Discussion).