Mdgreenfield

**Name of the Vulnerable Software and Affected Versions** HashiCorp Vault and Vault Enterprise versions 1.8.x through 1.8.4 **Description** The issue is related to an unexpected interaction between glob-related policies and the Google Cloud secrets engine. This may result in users having more privileges than intended. For example, a user with read permission for the `/gcp/roleset/*` path may be able to issue Google Cloud service account credentials. **Recommendations** For HashiCorp Vault and Vault Enterprise versions 1.8.x through 1.8.4, consider restricting access to the Google Cloud secrets engine until a patch is available. As a temporary workaround, review and adjust glob-related policies to minimize the risk of unintended privilege assignments.

**Name of the Vulnerable Software and Affected Versions** HashiCorp Vault and Vault Enterprise versions 1.7.0 through 1.7.4 HashiCorp Vault and Vault Enterprise versions 1.8.0 through 1.8.3 **Description** The issue allows a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. **Recommendations** For HashiCorp Vault and Vault Enterprise versions 1.7.0 through 1.7.4, update to version 1.7.5 to resolve the issue. For HashiCorp Vault and Vault Enterprise versions 1.8.0 through 1.8.3, update to version 1.8.4 to resolve the issue.