PT-2022-25812 · Hashicorp+1 · Vault Enterprise+2
Published
2022-10-11
·
Updated
2025-05-26
·
CVE-2022-41316
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
HashiCorp Vault and Vault Enterprise versions prior to 1.12.0
HashiCorp Vault and Vault Enterprise versions prior to 1.11.4
HashiCorp Vault and Vault Enterprise versions prior to 1.10.7
HashiCorp Vault and Vault Enterprise versions prior to 1.9.10
Description
The TLS certificate auth method in HashiCorp Vault and Vault Enterprise did not initially load the optionally configured CRL issued by the role's CA into memory on startup. This resulted in the revocation list not being checked if the CRL has not yet been retrieved.
Recommendations
For versions prior to 1.12.0, update to version 1.12.0 or later.
For versions prior to 1.11.4, update to version 1.11.4 or later.
For versions prior to 1.10.7, update to version 1.10.7 or later.
For versions prior to 1.9.10, update to version 1.9.10 or later.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hashicorp Vault
Red Os
Vault Enterprise