CVE-2020-35453
published 2020-12-17CVE-2020-35453: HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and…
PriorityP425medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.81%
52.3th percentile
HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hashicorp | vault | >= 1.5.0 < 1.5.6 | 1.5.6 |
| hashicorp | vault | >= 1.6.0 < 1.6.1 | 1.6.1 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-569v-h22j-3gcc: HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces
ghsa_unreviewed·2022-05-24
CVE-2020-35453 [MEDIUM] CWE-20 GHSA-569v-h22j-3gcc: HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces
HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.
Red Hat
vault: Sentinel EGP policy feature incorrectly allowed requests to be processed
vendor_redhat·2020-12-16·CVSS 5.3
CVE-2020-35453 [MEDIUM] CWE-20 vault: Sentinel EGP policy feature incorrectly allowed requests to be processed
vault: Sentinel EGP policy feature incorrectly allowed requests to be processed
HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.
Statement: This flaw affects the Enterprise version of Hashicorp Vault only, not the Open Source version.
Package: openshift-logging/logging-loki-rhel9 (Logging Subsystem for Red Hat OpenShift) - Not affected
Package: servicemesh (OpenShift Service Mesh 2.0) - Not affected
Package: vault (Red Hat Advanced Cluster Management for Kubernetes 2) - Not affected
Package: openshift4/ose-installer (Red Hat OpenShift Container Platform 4) - Not affected
Package: openshift4/topology-aware-lifecycle-manager-rhel8-operator (Red Hat OpenShift Container Platf
No detection rules found.
No public exploits indexed.
https://discuss.hashicorp.com/t/hcsec-2020-24-vault-enterprise-s-sentinel-egp-policies-may-impact-parent-or-sibling-namespaces/18983https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#161https://discuss.hashicorp.com/t/hcsec-2020-24-vault-enterprise-s-sentinel-egp-policies-may-impact-parent-or-sibling-namespaces/18983https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#161
2020-12-17
Published