CVE-2021-27668 — Missing Authentication for Critical Function in Vault

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 42.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedAug 31

Latest updateMay 24

Description

HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

▶NVDhashicorp/vault0.9.2 — 1.6.3

GHSA

GHSA-mfpx-cx7p-6jc6: HashiCorp Vault Enterprise 0↗2022-05-24

▶

Red Hat

vault: Vault Enterprise’s DR Secondaries Exposed License Metadata Without Authentication↗2021-08-31

▶