From f238d1f255165c6ec7ab385fb621b5367f52e5b8 Mon Sep 17 00:00:00 2001
From: JM Faircloth <jmfaircloth@hashicorp.com>
Date: Wed, 12 Jun 2024 13:57:41 -0500
Subject: [PATCH] add jwt auth bound aud known issues files

---
 .../1_16-jwt_auth_bound_audiences.mdx         | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 website/content/partials/known-issues/1_16-jwt_auth_bound_audiences.mdx

diff --git a/website/content/partials/known-issues/1_16-jwt_auth_bound_audiences.mdx b/website/content/partials/known-issues/1_16-jwt_auth_bound_audiences.mdx
new file mode 100644
index 000000000000..462b65ecd88a
--- /dev/null
+++ b/website/content/partials/known-issues/1_16-jwt_auth_bound_audiences.mdx
@@ -0,0 +1,31 @@
+### JWT auth login requires bound audiences on the role
+
+#### Affected versions
+
+- 1.15.9
+- 1.15.10
+- 1.16.3
+- 1.16.4
+
+#### Issue
+A behavior change was made in the jwt auth plugin to address CVE-2024-5798.
+Since the behavior change was a breaking change, we reverted the change in
+the versions after 1.15.10 and 1.16.4. However, the behavior change will go
+into effect in 1.17.
+
+The new behavior requires that the `bound_audiences` parameter of "jwt" roles
+**must** match at least one of the JWT's associated `aud` claims. The `aud`
+claim can be a single string or a list of strings as per
+[RFC 7519 Section 4.1.3](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3).
+
+Users may not be able to log into Vault if the JWT role is configured
+incorrectly. For additional details, refer to the
+[JWT auth method (API)](/vault/api-docs/auth/jwt) documentation.
+
+See this [issue](https://github.com/hashicorp/vault/issues/27343) for more details.
+
+#### Workaround
+
+Configure the `bound_audiences` parameter of "jwt" roles to match at least one
+of the JWT's associated `aud` claims. This configuratoin will be required for
+1.17 and later.