CVE-2020-10660
published 2020-03-23CVE-2020-10660: HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include…
PriorityP425medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.76%
50.7th percentile
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 0.9.0 < 1.3.4 | 1.3.4 |
| hashicorp | vault | 0.9.0 – 1.3.3 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault
osv·2024-06-28
CVE-2020-10660 HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault
HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault
HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault
OSV
HashiCorp Vault Improper Privilege Management
osv·2024-01-30
CVE-2020-10660 [MEDIUM] HashiCorp Vault Improper Privilege Management
HashiCorp Vault Improper Privilege Management
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
GHSA
HashiCorp Vault Improper Privilege Management
ghsa·2024-01-30
CVE-2020-10660 [MEDIUM] CWE-269 HashiCorp Vault Improper Privilege Management
HashiCorp Vault Improper Privilege Management
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
Red Hat
vault: Entity's Group membership inadvertently include Groups the Entity no longer has permissions to
vendor_redhat·2020-03-23·CVSS 5.3
CVE-2020-10660 [MEDIUM] CWE-284 vault: Entity's Group membership inadvertently include Groups the Entity no longer has permissions to
vault: Entity's Group membership inadvertently include Groups the Entity no longer has permissions to
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
A flaw was found in HashiCorp Vault and Vault Enterprise. This flaw allows a remote attacker to bypass security restrictions caused by an issue when inadvertently including Groups the Entity no longer has permission to. By sending a specially crafted request, an attacker can bypass access restrictions.
Package: openshift4/ose-installer (Red Hat OpenShift Container Platform 4) - Not affected
Package: openshift4/topology-aware-lifecycle-manager-rhel8-operator (Red Hat Ope
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-03-23
Published