CVE-2021-41802

CVSS v2.0

5.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions HashiCorp Vault and Vault Enterprise versions 1.7.0 through 1.7.4 HashiCorp Vault and Vault Enterprise versions 1.8.0 through 1.8.3

Description The issue allows a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities.

Recommendations For HashiCorp Vault and Vault Enterprise versions 1.7.0 through 1.7.4, update to version 1.7.5 to resolve the issue. For HashiCorp Vault and Vault Enterprise versions 1.8.0 through 1.8.3, update to version 1.8.4 to resolve the issue.

Fix

Improper Privilege Management

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269CWE-732

Related Identifiers

BIT-VAULT-2021-41802

CVE-2021-41802

GHSA-QV95-G3GM-X542

GO-2022-0618

Affected Products

Hashicorp Vault

Vault Enterprise

CVE-2021-41802

Weakness Enumeration

Related Identifiers

Affected Products

References · 10