PT-2020-2037 · Hashicorp · Vault Enterprise+1

Published

2020-03-19

Updated

2024-06-28

CVE-2020-10661

CVSS v2.0

9.4

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3

Description The issue is related to improper privilege management, which can be exploited by a remote attacker to elevate their privileges. Under certain circumstances, existing nested-path policies may grant access to Namespaces created after the fact.

Recommendations For HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3, update to version 1.3.4 to resolve the issue. As a temporary workaround, consider restricting access to Namespaces created after the fact to minimize the risk of exploitation.

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269CWE-264

Related Identifiers

BDU:2020-01662

BIT-VAULT-2020-10661

CVE-2020-10661

GHSA-J6VV-VV26-RH7C

GO-2024-2485

Affected Products

Hashicorp Vault

Vault Enterprise

PT-2020-2037 · Hashicorp · Vault Enterprise+1

CVE-2020-10661

Weakness Enumeration

Related Identifiers

Affected Products

References · 13