CVE-2024-6468

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-6468

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-6468.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-6468

Aliases

Related

CGA-jf7r-3p4x-vgmm

Published

2024-07-11T21:15:12Z

Modified

2025-08-13T16:59:07.419945Z

Summary

[none]

Details

Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxyprotocolbehavior, was set to denyunauthorized. When receiving a request from a source IP address that was not listed in proxyprotocolauthorizedaddrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service.

While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur.

Fixed in Vault and Vault Enterprise 1.17.2, 1.16.6, and 1.15.12.

References

https://discuss.hashicorp.com/t/hcsec-2024-14-vault-vulnerable-to-denial-of-service-when-setting-a-proxy-protocol-behavior/68518

Affected packages

Git / github.com/hashicorp/vault

Affected ranges

Type: GIT
Repo: https://github.com/hashicorp/vault
Events: Introduced

72850df1bc10581b74ba5f0f7b3736f31c034235

Fixed

2af5655e364f697a15b1dc2db2c3f85f6ef949f2

Affected versions

v1.*

v1.17.0

v1.17.1