CVE-2020-10661Improper Privilege Management in Hashicorp Vault

CWE-269Improper Privilege ManagementCWE-284Improper Access Control5 documents4 sources
Severity
9.1CRITICALNVD
EPSS
0.4%
top 39.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Hashicorp VaultHashicorp Vault
Timeline
PublishedMar 23
Latest updateJun 28

Description

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

Gogithub.com/hashicorp_vault0.11.01.3.4
NVDhashicorp/vault0.11.01.3.3

🔴Vulnerability Details

3
OSV
HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault2024-06-28
GHSA
HashiCorp Vault Improper Privilege Management2024-01-30
OSV
HashiCorp Vault Improper Privilege Management2024-01-30

📋Vendor Advisories

1
Red Hat
vault: Existing nested-path policies grant access to Namespaces created after-the-fact2020-03-23