CVE-2024-5798 is a security vulnerability classified under CWE-287 (Improper Authentication) discovered in HashiCorp Vault and Vault Enterprise. The vulnerability stems from improper validation of the JSON Web Token (JWT) role-bound audience claim when using Vault's JWT authentication method. Specifically, Vault did not correctly verify that the JWT's audience claim matched the expected role-bound audience, allowing a JWT with mismatched claims to be accepted and an invalid login to succeed. This flaw undermines the authentication mechanism, potentially permitting attackers to authenticate with tokens that should have been rejected. The vulnerability affects Vault versions starting from 0.11.0 up to versions prior to 1.15.9, 1.16.3, and 1.17.0, where the issue was fixed. The CVSS v3.1 base score is 2.6, indicating low severity, with the vector indicating network attack vector, high attack complexity, required privileges, and user interaction, and a scope change with limited confidentiality impact. No known exploits have been reported in the wild as of the publication date (June 12, 2024). The vulnerability primarily impacts the authentication process, potentially allowing unauthorized access if exploited, but requires an attacker to have some level of privileges and user interaction, reducing the risk of widespread exploitation. The flaw is critical to address in environments relying on Vault for secrets management and authentication, especially where JWT-based authentication is in use.

For European organizations, the improper authentication vulnerability in HashiCorp Vault could lead to unauthorized access to secrets and sensitive credentials managed by Vault if exploited. Although the CVSS score is low and exploitation requires privileges and user interaction, the impact on confidentiality could be significant in environments where Vault is a central component of the security infrastructure. Unauthorized logins could allow attackers to retrieve secrets, tokens, or credentials, potentially leading to lateral movement or data breaches. Organizations using vulnerable Vault versions in cloud-native, DevOps, or infrastructure automation contexts are at risk. The impact is heightened in sectors with strict compliance requirements such as finance, healthcare, and critical infrastructure, common in Europe. However, the limited ease of exploitation and absence of known active exploits reduce immediate risk. Nonetheless, failure to patch could expose organizations to targeted attacks, especially in high-value environments.

European organizations should immediately upgrade HashiCorp Vault and Vault Enterprise to versions 1.15.9, 1.16.3, 1.17.0, or later to remediate CVE-2024-5798. Additionally, organizations should audit their JWT authentication configurations to ensure strict validation of audience and role-bound claims, preventing acceptance of tokens with mismatched claims. Implementing robust monitoring and alerting on authentication anomalies can help detect potential exploitation attempts. Restricting privileges to minimize who can authenticate via JWT and enforcing multi-factor authentication where possible will reduce risk. Regularly reviewing Vault audit logs for suspicious login activity is recommended. Organizations should also validate their incident response plans to quickly address any unauthorized access. Finally, educating DevOps and security teams about this vulnerability and secure JWT handling practices will strengthen overall security posture.