Jörn Heissler

**Name of the Vulnerable Software and Affected Versions** HashiCorp Vault Community Edition versions prior to 1.17.6 HashiCorp Vault Enterprise versions prior to 1.17.6, 1.16.10, and 1.15.15 **Description** The issue arises from the SSH secrets engine not requiring the `valid principals` list to contain a value by default. If the `valid principals` and `default user` fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault's SSH secrets engine could be used to authenticate as any user on the host. **Recommendations** For HashiCorp Vault Community Edition versions prior to 1.17.6, update to version 1.17.6 or later. For HashiCorp Vault Enterprise versions prior to 1.17.6, update to version 1.17.6 or later. For HashiCorp Vault Enterprise versions prior to 1.16.10, update to version 1.16.10 or later. For HashiCorp Vault Enterprise versions prior to 1.15.15, update to version 1.15.15 or later. As a temporary workaround, consider setting the `valid principals` and `default user` fields in the SSH secrets engine configuration to restrict access.