CVE-2020-25816 — Insufficient Session Expiration in Hashicorp Vault

CWE-613 — Insufficient Session Expiration CWE-284 — Improper Access Control5 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

0.4%

top 37.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Vault Hashicorp Vault

Timeline

PublishedSep 30

Latest updateJun 28

Description

HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages2 packages

▶NVDhashicorp/vault1.0.0 — 1.4.7+1

▶Gogithub.com/hashicorp_vault1.0.0 — 1.5.4+1

🔴Vulnerability Details

OSV

Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault↗2024-06-28

▶

GHSA

Token leases could outlive their TTL in HashiCorp Vault↗2022-05-24

▶

OSV

Token leases could outlive their TTL in HashiCorp Vault↗2022-05-24

▶

📋Vendor Advisories

Red Hat

vault: Incorrect access control↗2020-09-30

▶