CVE-2021-38553 — Improper Preservation of Permissions in Hashicorp Vault

CWE-281 — Improper Preservation of Permissions CWE-276 — Incorrect Default Permissions5 documents4 sources

Severity

4.4MEDIUMNVD

EPSS

0.0%

top 90.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Vault Hashicorp Vault

Timeline

PublishedAug 13

Latest updateAug 21

Description

HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 0.8 | Impact: 3.6

Affected Packages2 packages

▶NVDhashicorp/vault1.4.0 — 1.8.0

▶Gogithub.com/hashicorp_vault1.4.0 — 1.8.0

🔴Vulnerability Details

OSV

HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0 in github.com/hashicorp/vault↗2024-08-21

▶

OSV

HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0↗2021-08-30

▶

GHSA

HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0↗2021-08-30

▶

📋Vendor Advisories

Red Hat

vault: Underlying database file with excessively broad filesystem permissions↗2021-08-13

▶