CVE-2020-10660Incorrect Default Permissions in Hashicorp Vault

CWE-276Incorrect Default PermissionsCWE-269Improper Privilege ManagementCWE-284Improper Access Control5 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 54.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Hashicorp VaultHashicorp Vault
Timeline
PublishedMar 23
Latest updateJun 28

Description

HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

Gogithub.com/hashicorp_vault0.9.01.3.4
NVDhashicorp/vault0.9.01.3.3

🔴Vulnerability Details

3
OSV
HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault2024-06-28
OSV
HashiCorp Vault Improper Privilege Management2024-01-30
GHSA
HashiCorp Vault Improper Privilege Management2024-01-30

📋Vendor Advisories

1
Red Hat
vault: Entity's Group membership inadvertently include Groups the Entity no longer has permissions to2020-03-23