x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-32cj-5wx4-gq8p #2921

GoVulnBot · 2024-06-12T23:01:22Z

In GitHub Security Advisory GHSA-32cj-5wx4-gq8p, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/hashicorp/vault	1.15.9	>= 0.11.0, < 1.15.9

Cross references:

Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-362v-wg5p-64w2 #578 NOT_IMPORTABLE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-c5wc-v287-82pc #590 NOT_IMPORTABLE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-pfmw-vj74-ph8g #611 NOT_IMPORTABLE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-qv95-g3gm-x542 #618 NOT_IMPORTABLE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-23fq-q7hc-993r #620 NOT_IMPORTABLE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-38j9-7pp9-2hjw #623 NOT_IMPORTABLE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6239-28c2-9mrm, CVE-2021-38554 #632 NOT_IMPORTABLE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault/command: GHSA-25xj-89g5-fm6h #778 NOT_IMPORTABLE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9vh5-r4qw-v3vv #816 NOT_IMPORTABLE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-fp52-qw33-mfmw #825 NOT_IMPORTABLE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-7cgv-v83v-rr87 #1021 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v3hp-mcj5-pg39 #1685 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-hwc3-3qh6-r4gg #1708 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gq98-53rq-qr5h #1849 NOT_IMPORTABLE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9mh8-9j64-443f #1897 NOT_IMPORTABLE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-wmg5-g953-qqfw #1900 NOT_IMPORTABLE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9v3w-w2jh-4hff #1986 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v84f-6r39-cpfc #2063 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-86c6-3g63-5w64 #2088 NOT_IMPORTABLE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-4qhc-v8r6-8vwm #2329 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-j6vv-vv26-rh7c #2485 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-m979-w9wj-qfj9 #2486 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-4mp7-2m29-gqxf #2488 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rpgp-9hmg-j25x #2508 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rq95-xf66-j689 #2509 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: CVE-2024-0831 #2511 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-57gg-cj55-q5g2 #2514 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-vq4h-9ghm-qmrr #1709
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6p62-6cg9-f5f5 #2399
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-r3w7-mfpm-c2vw #2617
Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-j2rp-gmqv-frhv #2690

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/vault
      non_go_versions:
        - introduced: TODO (earliest fixed "1.17.0", vuln range "= 1.17.0-rc1")
      vulnerable_at: 1.17.0
      packages:
        - package: github.com/hashicorp/vault
    - module: github.com/hashicorp/vault
      versions:
        - introduced: 0.11.0
          fixed: 1.15.9
      packages:
        - package: github.com/hashicorp/vault
    - module: github.com/hashicorp/vault
      versions:
        - introduced: 1.16.0-rc1
          fixed: 1.16.3
      vulnerable_at: 1.16.2
      packages:
        - package: github.com/hashicorp/vault
summary: HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault
cves:
    - CVE-2024-5798
ghsas:
    - GHSA-32cj-5wx4-gq8p
references:
    - advisory: https://github.com/advisories/GHSA-32cj-5wx4-gq8p
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-5798
    - web: https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770
notes:
    - fix: 'module merge error: could not merge versions of module github.com/hashicorp/vault: invalid or non-canonical semver version (found TODO (earliest fixed "1.17.0", vuln range "= 1.17.0-rc1"))'
    - fix: 'github.com/hashicorp/vault: could not add vulnerable_at: version 1.15.9 does not exist'
source:
    id: GHSA-32cj-5wx4-gq8p
    created: 2024-06-12T23:01:21.799534403Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-07-01T18:17:52Z

Change https://go.dev/cl/595957 mentions this issue: data/reports: add 5 reports

gopherbot · 2024-08-16T21:16:52Z

Change https://go.dev/cl/606360 mentions this issue: data/reports: regenerate 8 reports

- data/reports/GO-2024-2993.yaml - data/reports/GO-2024-2997.yaml - data/reports/GO-2024-3033.yaml - data/reports/GO-2024-3039.yaml - data/reports/GO-2024-2921.yaml - data/reports/GO-2024-2982.yaml - data/reports/GO-2024-3066.yaml - data/reports/GO-2024-3070.yaml Updates #2993 Updates #2997 Updates #3033 Updates #3039 Updates #2921 Updates #2982 Updates #3066 Updates #3070 Change-Id: I5a682ceba4983a42b0d7783535488c5ecf049f25 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606360 LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]>

tatianab added the triaged label Jun 13, 2024

tatianab self-assigned this Jun 25, 2024

gopherbot closed this as completed in 95ad15a Jul 1, 2024

GoVulnBot mentioned this issue Jul 12, 2024

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-2qmw-pvf7-4mw6 #2982

Closed

GoVulnBot mentioned this issue Sep 3, 2024

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-jjxf-26c9-77gm #3113

Closed

GoVulnBot mentioned this issue Sep 26, 2024

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-jg74-mwgw-v6x3 #3162

Closed

GoVulnBot mentioned this issue Oct 10, 2024

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rr8j-7w34-xp5j #3191

Closed

GoVulnBot mentioned this issue Oct 31, 2024

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-g233-2p4r-3q7v #3246

Closed

This was referenced May 2, 2025

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-f9ch-h8j7-8jwg #3662

Closed

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gcqf-f89c-68hv #3663

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-32cj-5wx4-gq8p #2921

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-32cj-5wx4-gq8p #2921

GoVulnBot commented Jun 12, 2024

gopherbot commented Jul 1, 2024

gopherbot commented Aug 16, 2024

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-32cj-5wx4-gq8p #2921

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-32cj-5wx4-gq8p #2921

Comments

GoVulnBot commented Jun 12, 2024

gopherbot commented Jul 1, 2024

gopherbot commented Aug 16, 2024