Vault Product Security Update Advisory (CVE-2024-9180)

Oct 16 2024

Overview

An update has been released to address vulnerabilities in Vault Products. Users of the affected versions are advised to update to the latest version.

Affected Products

CVE-2024-9180

Vault Community Edition versions: 1.7.7 (inclusive) ~ 1.17.6 (inclusive)
Vault Enterprise versions: 1.7.7 (inclusive) ~ 1.15.15 (inclusive)
Vault Enterprise versions: 1.7.7 (inclusive) ~ 1.16.10 (inclusive)
Vault Enterprise versions: 1.7.7 (inclusive) ~ 1.17.6 (inclusive)

Resolved Vulnerabilities

Vulnerability that allows a privileged vault operator with write access to the identity endpoint in the root namespace to escalate privileges to the root policy of the vault (CVE-2024-9180)

Vulnerability Patches

The following product-specific vulnerability patches have been made available in the latest update. If you are using an affected version, Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2024-9180

Vault Community Edition version: 1.18.0
Vault Enterprise version: 1.15.16
Vault Enterprise version: 1.16.11
Vault Enterprise version: 1.18.0

References

[1] CVE-2024-9180 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-9180

[2] HCSEC-2024-21 – Vault Operators in Root Namespace May Elevate Their Privileges

https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565/1

Vault Product Security Update Advisory (CVE-2024-9180)

Btcd Security Update Advisory (CVE-2024-38365)

Mozilla Products October 2024 1st Security Update Advisory

Tags:

Btcd Security Update Advisory (CVE-2024-38365)

Mozilla Products October 2024 1st Security Update Advisory