PT-2021-19953 · Hashicorp · Hashicorp Vault Enterprise

Published

2021-02-01

Updated

2024-06-28

CVE-2021-3282

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions HashiCorp Vault Enterprise versions 1.6.0 through 1.6.1

Description The issue allows the remove-peer raft operator command to be executed against DR secondaries without authentication. This affects HashiCorp Vault Enterprise.

Recommendations For versions 1.6.0 and 1.6.1, update to version 1.6.2 to resolve the issue. As a temporary workaround, consider restricting access to the remove-peer command until the update is applied.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

BIT-VAULT-2021-3282

CVE-2021-3282

GHSA-RQ95-XF66-J689

GO-2024-2509

Affected Products

Hashicorp Vault Enterprise

PT-2021-19953 · Hashicorp · Hashicorp Vault Enterprise

CVE-2021-3282

Weakness Enumeration

Related Identifiers

Affected Products

References · 12