CVE-2020-35453 — Improper Input Validation in Vault

CWE-20 — Improper Input Validation3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 44.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Vault

Timeline

PublishedDec 17

Latest updateMay 24

Description

HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

▶NVDhashicorp/vault1.5.0 — 1.5.6+1

🔴Vulnerability Details

GHSA

GHSA-569v-h22j-3gcc: HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces↗2022-05-24

▶

📋Vendor Advisories

Red Hat

vault: Sentinel EGP policy feature incorrectly allowed requests to be processed↗2020-12-16

▶