CVE-2021-42135

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions HashiCorp Vault and Vault Enterprise versions 1.8.x through 1.8.4

Description The issue is related to an unexpected interaction between glob-related policies and the Google Cloud secrets engine. This may result in users having more privileges than intended. For example, a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.

Recommendations For HashiCorp Vault and Vault Enterprise versions 1.8.x through 1.8.4, consider restricting access to the Google Cloud secrets engine until a patch is available. As a temporary workaround, review and adjust glob-related policies to minimize the risk of unintended privilege assignments.

Fix

Incorrect Authorization

Incorrect Privilege Assignment

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-266CWE-269

Related Identifiers

BIT-VAULT-2021-42135

CVE-2021-42135

GHSA-362V-WG5P-64W2

GO-2022-0578

Affected Products

Google Cloud

Hashicorp Vault

Vault Enterprise

CVE-2021-42135

Weakness Enumeration

Related Identifiers

Affected Products

References · 11