CVE-2020-7220 — Improper Resource Shutdown or Release in Hashicorp Vault

CWE-404 — Improper Resource Shutdown or Release CWE-200 — Sensitive Information Exposure5 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 46.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Vault Hashicorp Vault

Timeline

PublishedJan 23

Latest updateAug 21

Description

HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDhashicorp/vault0.11.0 — 1.3.2

▶Gogithub.com/hashicorp_vault0.11.0 — 1.3.2

🔴Vulnerability Details

OSV

Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault↗2024-08-21

▶

GHSA

Improper Resource Shutdown or Release in HashiCorp Vault↗2021-07-28

▶

OSV

Improper Resource Shutdown or Release in HashiCorp Vault↗2021-07-28

▶

📋Vendor Advisories

Red Hat

vault: Vault Enterprise’s Dynamic Secrets May Persist After Namespace Deletion↗2020-01-23

▶