Kacper Stysiński

Name of the Vulnerable Software and Affected Versions: HashiCorp Vault versions prior to 1.15.9 HashiCorp Vault versions prior to 1.16.3 HashiCorp Vault versions prior to 1.17.0 Description: The issue arises from improper validation of the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may result in Vault validating a JWT even when the audience and role-bound claims do not match, allowing an invalid login to succeed. Recommendations: For versions prior to 1.15.9, update to version 1.15.9 or later. For versions prior to 1.16.3, update to version 1.16.3 or later. For versions prior to 1.17.0, update to version 1.17.0 or later.