ByteOS Network

NVD Vulnerability Details :

CVE-2024-5798

Analyzed

Source-security@hashicorp.com

Published At-12 Jun, 2024 | 19:15

Updated At-07 Aug, 2025 | 16:56

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected. This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	2.6	LOW	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N
Primary	3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CPE Matches

HashiCorp, Inc.

>>vault>>Versions from 0.11.0(inclusive) to 1.15.9(exclusive)

cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*

HashiCorp, Inc.

>>vault>>Versions from 0.11.0(inclusive) to 1.15.9(exclusive)

cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*

HashiCorp, Inc.

>>vault>>Versions from 1.16.0(inclusive) to 1.16.3(exclusive)

cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*

HashiCorp, Inc.

>>vault>>Versions from 1.16.0(inclusive) to 1.16.3(exclusive)

cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-285	Secondary	security@hashicorp.com

References

Hyperlink	Source	Resource
https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770	security@hashicorp.com	Vendor Advisory
https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770	af854a3a-2127-422b-91ae-364da2661108	Vendor Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History