CVE-2020-7220
published 2020-01-23CVE-2020-7220: HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.42%
69.5th percentile
HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 0.11.0 < 1.3.2 | 1.3.2 |
| hashicorp | vault | >= 0.11.0 < 1.3.2 | 1.3.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault
osv·2024-08-21
CVE-2020-7220 Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault
Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault
Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault
GHSA
Improper Resource Shutdown or Release in HashiCorp Vault
ghsa·2021-07-28
CVE-2020-7220 [HIGH] CWE-404 Improper Resource Shutdown or Release in HashiCorp Vault
Improper Resource Shutdown or Release in HashiCorp Vault
HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.
OSV
Improper Resource Shutdown or Release in HashiCorp Vault
osv·2021-07-28
CVE-2020-7220 [HIGH] Improper Resource Shutdown or Release in HashiCorp Vault
Improper Resource Shutdown or Release in HashiCorp Vault
HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.
Red Hat
vault: Vault Enterprise’s Dynamic Secrets May Persist After Namespace Deletion
vendor_redhat·2020-01-23·CVSS 7.5
CVE-2020-7220 [HIGH] CWE-200 vault: Vault Enterprise’s Dynamic Secrets May Persist After Namespace Deletion
vault: Vault Enterprise’s Dynamic Secrets May Persist After Namespace Deletion
HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.
A flaw was found in HashiCorp Vault Enterprise, where a remote attacker can obtain sensitive information caused by a vulnerability when deleting a namespace. This flaw allows a remote attacker to revoke dynamic secrets for a mount in a deleted namespace.
Statement: Red Hat Products are not affected by this CVE as this CVE only affects HashiCorp Vault Enterprise versions.
Package: openshift-logging/logging-loki-rhel8 (Logging Subsystem for Red Hat OpenShift) - Not affected
Package: openshift4/ose-installer (Red Hat OpenShift Container Platform 4) - Not
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-01-23
Published