CVE-2021-29653Improper Certificate Validation in Vault

CWE-295Improper Certificate Validation3 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 73.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Hashicorp Vault
Timeline
PublishedApr 22
Latest updateMay 24

Description

HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

NVDhashicorp/vault1.5.11.5.8+2

🔴Vulnerability Details

1
GHSA
GHSA-gw8r-qv92-434x: HashiCorp Vault and Vault Enterprise 12022-05-24

📋Vendor Advisories

1
Red Hat
vault: PKI Engine CRL May Exclude Revoked But Unexpired Certificates After Tidy2021-04-22