CVE-2024-5798

LOW Year: 2024
CVSS v3 Score
2.6
Low
Weakness Type
CWE-285
View all →

Vulnerability Description

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected. This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9

Related Vulnerabilities

CVE-2014-6049

LOW
CVSS:2.7(Low)

phpMyFAQ before 2.8.13 allows remote authenticated users with admin privileges to bypass authorization via a crafted instance ID parameter.

CWE-2852014

CVE-2020-24403

LOW
CVSS:2.7(Low)

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users wi...

CWE-2852020

CVE-2020-24404

LOW
CVSS:2.7(Low)

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions t...

CWE-2852020

CVE-2024-48921

HIGH
CVSS:2.7(Low)

Kyverno is a policy engine designed for Kubernetes. A kyverno ClusterPolicy, ie. "disallow-privileged-containers," can be overridden by the creation of a PolicyException in a random namespace. By desi...

CWE-2852024

CVE-2021-25351

LOW
CVSS:2.4(Low)

Improper Access Control in EmailValidationView in Samsung Account prior to version 10.7.0.7 and 12.1.1.3 allows physically proximate attackers to log out user account on device without user password.

CWE-2852021

CVE-2022-36857

LOW
CVSS:2.4(Low)

Improper Authorization vulnerability in Photo Editor prior to SMR Sep-2022 Release 1 allows physical attackers to read internal application data.

CWE-2852022