CVE-2020-12757
published 2020-06-10CVE-2020-12757: HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default…
PriorityP348critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.52%
71.5th percentile
HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault-plugin-secrets-gcp | >= 0 < 0.6.2 | 0.6.2 |
| hashicorp | vault | >= 1.4.0 < 1.4.2 | 1.4.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
vault: GCP Credentials are created with incorrect time-to-live lease duration
vendor_redhat·2020-05-21·CVSS 9.8
CVE-2020-12757 [CRITICAL] CWE-404 vault: GCP Credentials are created with incorrect time-to-live lease duration
vault: GCP Credentials are created with incorrect time-to-live lease duration
HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.
A flaw was found in the HashiCorp Vault. The HashiCorp Vault and Vault Enterprise could allow a remote attacker to bypass security restrictions caused by incorrect access control in the secrets/gcp. By sending a specially crafted request, an attacker can bypass access restrictions.
Package: openshift-logging/logging-loki-rhel9 (Logging Subsystem for Red Hat OpenShift) - Not affected
Package:
OSV
Improper Input Validation in HashiCorp Vault in github.com/hashicorp/vault-plugin-secrets-gcp
osv·2024-08-21
CVE-2020-12757 Improper Input Validation in HashiCorp Vault in github.com/hashicorp/vault-plugin-secrets-gcp
Improper Input Validation in HashiCorp Vault in github.com/hashicorp/vault-plugin-secrets-gcp
Improper Input Validation in HashiCorp Vault in github.com/hashicorp/vault-plugin-secrets-gcp
OSV
Improper Input Validation in HashiCorp Vault
osv·2021-05-18
CVE-2020-12757 [CRITICAL] Improper Input Validation in HashiCorp Vault
Improper Input Validation in HashiCorp Vault
HashiCorp Vault and Vault Enterprise 1.4.x before 1.4.2 in Go package github.com/hashicorp/vault-plugin-secrets-gcp/plugin has Incorrect Access Control.
GHSA
Improper Input Validation in HashiCorp Vault
ghsa·2021-05-18
CVE-2020-12757 [CRITICAL] CWE-20 Improper Input Validation in HashiCorp Vault
Improper Input Validation in HashiCorp Vault
HashiCorp Vault and Vault Enterprise 1.4.x before 1.4.2 in Go package github.com/hashicorp/vault-plugin-secrets-gcp/plugin has Incorrect Access Control.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-06-10
Published