CVE-2024-5798 Information

Description

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match allowing an invalid login to succeed when it should have been rejected.

This vulnerability CVE-2024-5798 was fixed in Vault and Vault Enterprise 1.17.0 1.16.3 and 1.15.9

Reference

https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770