CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-43998 – vault: incorrect policy enforcement
https://notcve.org/view.php?id=CVE-2021-43998
HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0. Las políticas ACL templadas de HashiCorp Vault y Vault Enterprise 0.11.0 versiones hasta 1.7.5 y 1.8.4 siempre coincidían con el primer alias de entidad creado si presentaban varios alias de entidad para una combinación especificada de entidad y montaje, resultando potencialmente en una aplicación incorrecta de la política. Corregido en Vault y Vault Enterprise versiones 1.7.6, 1.8.5 y 1.9.0 A flaw was found in HashiCorp Vault. In affected versions of HashiCorp Vault and Vault Enterprise, templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. • https://discuss.hashicorp.com/t/hcsec-2021-30-vaults-templated-acl-policies-matched-first-created-alias-per-entity-and-auth-backend/32132 https://security.gentoo.org/glsa/202207-01 https://access.redhat.com/security/cve/CVE-2021-43998 https://bugzilla.redhat.com/show_bug.cgi?id=2028193 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-41802
https://notcve.org/view.php?id=CVE-2021-41802
HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4. HashiCorp Vault y Vault Enterprise versiones hasta 1.7.4 y 1.8.3, permitían que un usuario con permiso de escritura en un ID de alias de entidad que compartía un accesorio de montaje con otro usuario adquiriera las políticas de este otro usuario al fusionar sus identidades. Corregido en Vault y Vault Enterprise versiones 1.7.5 y 1.8.4 • https://discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalation https://security.gentoo.org/glsa/202207-01 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27668
https://notcve.org/view.php?id=CVE-2021-27668
HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3. HashiCorp Vault Enterprise versiones 0.9.2 hasta 1.6.2, permitía la lectura de metadatos de licencia de DR secundarios sin autenticación. Corregido en versión 1.6.3 • https://discuss.hashicorp.com/t/hcsec-2021-05-vault-enterprise-s-dr-secondaries-exposed-license-metadata-without-authentication/21427 https://security.gentoo.org/glsa/202207-01 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38554
https://notcve.org/view.php?id=CVE-2021-38554
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. La interfaz de usuario de HashiCorp Vault y Vault Enterprise almacenaba erróneamente en caché y exponía los secretos visualizados por el usuario entre sesiones en un mismo navegador compartido. Corregido en versión 1.8.0 y en versiones pendientes 1.7.4 / 1.6.6. • https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166 https://security.gentoo.org/glsa/202207-01 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 7.4EPSS: 0%CPEs: 6EXPL: 0CVE-2021-32923
https://notcve.org/view.php?id=CVE-2021-32923
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. HashiCorp Vault y Vault Enterprise permitían la renovación de los contratos de alquiler de tokens casi caducados y de los contratos de alquiler de secretos dinámicos (concretamente, los que estaban a menos de 1 segundo de su TTL máximo), lo que causó que sean incorrectamente tratados como no caducados durante su uso posterior. Corregido en versiones 1.5.9, 1.6.5 y 1.7.2 • https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603 https://security.gentoo.org/glsa/202207-01 https://www.hashicorp.com/blog/category/vault • CWE-613: Insufficient Session Expiration •