Nick Triller

Name of the Vulnerable Software and Affected Versions: HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.7.5 HashiCorp Vault and Vault Enterprise version 1.8.4 Description: The issue arises when templated ACL policies in HashiCorp Vault and Vault Enterprise match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination. This can lead to incorrect policy enforcement. Recommendations: For HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.7.5, update to version 1.7.6 or later. For HashiCorp Vault and Vault Enterprise version 1.8.4, update to version 1.8.5 or later. As a general mitigation measure, consider reviewing and adjusting templated ACL policies to ensure correct entity alias matching until the issue is resolved.