PT-2021-24000 · Hashicorp · Vault Enterprise+1
Christian Baumann
+1
·
Published
2021-11-30
·
Updated
2024-08-21
·
CVE-2021-43998
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.7.5
HashiCorp Vault and Vault Enterprise version 1.8.4
Description:
The issue arises when templated ACL policies in HashiCorp Vault and Vault Enterprise match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination. This can lead to incorrect policy enforcement.
Recommendations:
For HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.7.5, update to version 1.7.6 or later.
For HashiCorp Vault and Vault Enterprise version 1.8.4, update to version 1.8.5 or later.
As a general mitigation measure, consider reviewing and adjusting templated ACL policies to ensure correct entity alias matching until the issue is resolved.
Fix
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hashicorp Vault
Vault Enterprise