PT-2022-25266 · Hashicorp+1 · Hashicorp Vault Enterprise+2
Published
2022-09-21
·
Updated
2025-04-02
·
CVE-2022-40186
CVSS v2.0
9.4
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
HashiCorp Vault versions prior to 1.11.3
HashiCorp Vault Enterprise versions prior to 1.11.3
Description
A vulnerability in the Identity Engine of HashiCorp Vault was found where, in a deployment with an entity having multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias. This issue arises due to a problem with checking the proper alias assigned to an entity, potentially allowing unintended access to key/value paths using that metadata in Vault.
Recommendations
For HashiCorp Vault versions prior to 1.11.3, update to version 1.11.3 or later to resolve the issue.
For HashiCorp Vault Enterprise versions prior to 1.11.3, update to version 1.11.3 or later to resolve the issue.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Hashicorp Vault
Hashicorp Vault Enterprise
Red Os