CVE-2024-9180
- Source
- https://cve.org/CVERecord?id=CVE-2024-9180
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-9180.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-9180
- Aliases
- Downstream
- Related
- Published
- 2024-10-10T21:15:05.010Z
- Modified
- 2026-01-30T01:36:23.195281Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.
- References
Affected packages
Git / github.com/hashicorp/vault
Git / github.com/openbao/openbao
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openbao/openbao
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
api/auth/approle/v0.*
api/auth/approle/v0.1.0
api/auth/approle/v0.1.1
api/auth/approle/v0.2.0
api/auth/approle/v0.3.0
api/auth/approle/v0.4.0
api/auth/approle/v0.4.1
api/auth/approle/v1.*
api/auth/approle/v1.1.0-development20240408
api/auth/aws/v0.*
api/auth/aws/v0.1.0
api/auth/aws/v0.2.0
api/auth/aws/v0.3.0
api/auth/aws/v0.4.0
api/auth/aws/v0.4.1
api/auth/aws/v1.*
api/auth/aws/v1.1.0-development20240408
api/auth/azure/v0.*
api/auth/azure/v0.1.0
api/auth/azure/v0.2.0
api/auth/azure/v0.3.0
api/auth/azure/v0.4.0
api/auth/azure/v0.4.1
api/auth/azure/v1.*
api/auth/azure/v1.1.0-development20240408
api/auth/gcp/v0.*
api/auth/gcp/v0.1.0
api/auth/gcp/v0.2.0
api/auth/gcp/v0.3.0
api/auth/gcp/v0.4.0
api/auth/gcp/v0.4.1
api/auth/gcp/v1.*
api/auth/gcp/v1.1.0-development20240408
api/auth/kubernetes/v1.*
api/auth/kubernetes/v1.1.0-development20240408
api/auth/ldap/v1.*
api/auth/ldap/v1.1.0-development20240408
api/auth/userpass/v0.*
api/auth/userpass/v0.1.0
api/auth/userpass/v0.2.0
api/auth/userpass/v0.3.0
api/auth/userpass/v0.4.0
api/auth/userpass/v0.4.1
api/auth/userpass/v1.*
api/auth/userpass/v1.1.0-development20240408
api/v1.*
api/v1.0.1
api/v1.0.2
api/v1.0.3
api/v1.0.4
api/v1.1.1
api/v1.100.0-development20240408
api/v1.2.0
api/v1.3.1
api/v1.5.0
api/v1.6.0
api/v1.7.0
api/v1.7.1
api/v1.7.2
api/v1.8.0
api/v1.8.1
api/v1.8.2
api/v1.8.3
api/v1.9.0
api/v1.9.1
api/v1.9.2
Other
before-plugin-removal
fork-point
sdk/v0.*
sdk/v0.1.10
sdk/v0.1.11
sdk/v0.1.12
sdk/v0.1.13
sdk/v0.1.8
sdk/v0.1.9
sdk/v0.2.1
sdk/v0.3.0
sdk/v0.4.1
sdk/v0.5.0
sdk/v0.5.1
sdk/v0.5.3
sdk/v0.6.0
sdk/v0.6.1
sdk/v0.6.2
sdk/v0.7.0
sdk/v0.8.0
sdk/v0.9.0
sdk/v0.9.1
sdk/v1.*
sdk/v1.100.0-development20240408
v2.*
v2.0.0
v2.0.0-alpha20240329
v2.0.0-beta20240618
v2.0.1
v2.0.2