Fix CVE-2024-2660

[TheoBrigitte]

Update github.com/hashicorp/vault/api to v1.14.0 to fix following CVE:

$ go list -json -deps ./... | nancy sleuth
pkg:golang/github.com/hashicorp/vault/api@v1.12.0
1 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2024-2660] CWE-703: Improper Check or Handling of Exceptional Conditions                                                                                                                                                 ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ Vault and Vault Enterprise TLS certificates auth method did not correctly                                                                                                                                ┃
┃                    ┃ validate OCSP responses when one or more OCSP sources were configured.                                                                                                                                   ┃
┃                    ┃ Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.                                                                                                                                  ┃
┃                    ┃                                                                                                                                                                                                          ┃
┃                    ┃ Sonatype's research suggests that this CVE's details differ from those                                                                                                                                   ┃
┃                    ┃ defined at NVD. See                                                                                                                                                                                      ┃
┃                    ┃ https://ossindex.sonatype.org/vulnerability/CVE-2024-2660 for details                                                                                                                                    ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ CVE-2024-2660                                                                                                                                                                                            ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 6.4/10 (Medium)                                                                                                                                                                                          ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H                                                                                                                                                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vulnerability/CVE-2024-2660?component-type=golang&component-name=github.com%2Fhashicorp%2Fvault%2Fapi&utm_source=nancy-client&utm_medium=integration&utm_content=0.0.0-dev ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

Note: As of today latest version of github.com/hashicorp/vault/api is v1.14.0 and not v1.16.0 as shown in the above report

$ go list -versions -m github.com/hashicorp/vault/api
github.com/hashicorp/vault/api v0.4.0 v1.0.1 v1.0.2 v1.0.3 v1.0.4 v1.1.0 v1.1.1 v1.2.0 v1.3.0 v1.3.1 v1.4.0 v1.4.1 v1.5.0 v1.6.0 v1.7.0 v1.7.1 v1.7.2 v1.8.0 v1.8.1 v1.8.2 v1.8.3 v1.9.0 v1.9.1 v1.9.2 v1.10.0 v1.11.0 v1.12.0 v1.12.1 v1.12.2 v1.13.0 v1.14.0

[felixfontein]

This has similar problems in CI as #1515. @getsops/maintainers can someone with more Go experience take a look at this?

[TheoBrigitte]

This has similar problems in CI as #1515. @getsops/maintainers can someone with more Go experience take a look at this?

This happens when running go mod tidy with a go version < 1.21, since CI uses go1.21.10

At first I did not felt like updating the go version in this PR.

[felixfontein]

My guess is that #1427 should have also bumped the go version in go.mod, even though at that point that version was already outdated (1.19 instead of 1.20).

[TheoBrigitte]

Should I move the go version update to a different PR or you're fine having this change here ?

[felixfontein]

I guess it's fine here, but for this kind of PRs I prefer input from someone else from the maintainer team since I'm not that familiar with the Golang module mechanism :)

[sabre1041]

I guess it's fine here, but for this kind of PRs I prefer input from someone else from the maintainer team since I'm not that familiar with the Golang module mechanism :)

Will review this pr later today

[felixfontein]

@TheoBrigitte thanks for fixing this! @sabre1041 thanks for reviewing!