CVE-2021-38554
published 2021-08-13CVE-2021-38554: HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and…
PriorityP426medium5.3CVSS 3.1
AVNACHPRLUINSUCHINAN
EPSS
0.91%
55.5th percentile
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 0 < 1.6.6 | 1.6.6 |
| github.com | hashicorp_vault | >= 1.7.0 < 1.7.4 | 1.7.4 |
| hashicorp | vault | < 1.8.0 | 1.8.0 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:P/I:N/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault
osv·2024-08-21
CVE-2021-38554 Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault
Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault
Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault
GHSA
Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault
ghsa·2021-08-30
CVE-2021-38554 [MEDIUM] CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault
Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
OSV
Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault
osv·2021-08-30
CVE-2021-38554 [MEDIUM] Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault
Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
Red Hat
vault: UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser
vendor_redhat·2021-08-13·CVSS 5.3
CVE-2021-38554 [MEDIUM] CWE-200 vault: UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser
vault: UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
A flaw was found in the vault package. The Vault UI web application may fail to completely clear a client-side data cache on user logout. As a result, an authenticated user sharing a browser to access Vault may have been able to view the previous authenticated user’s cached secrets, even if they were not authorized by Vault policies to view them.
Statement: The Vault deployments that do not enable the Vault UI are not affected by this issue.
Package: openshift-logging/logging-loki-rhel9 (Logging S
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166https://security.gentoo.org/glsa/202207-01https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166https://security.gentoo.org/glsa/202207-01
2021-08-13
Published