cbcvebase.
CVE-2021-41802
published 2021-10-08

CVE-2021-41802: HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another…

PriorityP427medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.59%
43.8th percentile
HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

Affected

4 ranges
VendorProductVersion rangeFixed in
github.comhashicorp_vault>= 0 < 1.7.51.7.5
github.comhashicorp_vault>= 1.8.0 < 1.8.41.8.4
hashicorpvault< 1.7.51.7.5
hashicorpvault>= 1.8.0 < 1.8.41.8.4

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
vendor_redhat2.9LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.