CVE-2021-32923 — Insufficient Session Expiration in Hashicorp Vault

CWE-613 — Insufficient Session Expiration6 documents5 sources

Severity

7.4HIGHNVD

EPSS

0.7%

top 29.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Vault Hashicorp Vault Msrc Azl3 Keda 2.14.0-1 ON Azure Linux 3.0 +3 more

Timeline

PublishedJun 3

Latest updateAug 21

Description

HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages6 packages

▶NVDhashicorp/vault0.10.0 — 1.5.9+2

▶Gogithub.com/hashicorp_vault1.7.0 — 1.7.2+2

▶msrcmsrc/azure_linux_3.0_arm

▶msrcmsrc/azure_linux_3.0_x64

▶msrcmsrc/azl3_keda_2.14.0-1_on_azure_linux_3.0

🔴Vulnerability Details

OSV

Invalid session token expiration in github.com/hashicorp/vault↗2024-08-21

▶

GHSA

Invalid session token expiration↗2021-06-08

▶

OSV

Invalid session token expiration↗2021-06-08

▶

📋Vendor Advisories

Microsoft

HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically those within 1 second of their maximum TTL) which caused them to be inco↗2021-06-08

▶

Red Hat

vault: Token leases incorrectly treated as non-expiring↗2021-06-03

▶