CVE-2020-12757 — Improper Privilege Management in Hashicorp Vault-plugin-secrets-gcp

CWE-269 — Improper Privilege Management CWE-404 — Improper Resource Shutdown or Release CWE-20 — Improper Input Validation5 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.5%

top 33.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Vault-plugin-secrets-gcp Hashicorp Vault

Timeline

PublishedJun 10

Latest updateAug 21

Description

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶Gogithub.com/hashicorp_vault-plugin-secrets-gcp< 0.6.2

▶NVDhashicorp/vault1.4.0 — 1.4.2

🔴Vulnerability Details

OSV

Improper Input Validation in HashiCorp Vault in github.com/hashicorp/vault-plugin-secrets-gcp↗2024-08-21

▶

OSV

Improper Input Validation in HashiCorp Vault↗2021-05-18

▶

GHSA

Improper Input Validation in HashiCorp Vault↗2021-05-18

▶

📋Vendor Advisories

Red Hat

vault: GCP Credentials are created with incorrect time-to-live lease duration↗2020-05-21

▶