CVE-2022-36129
published 2022-07-26CVE-2022-36129: HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be…
PriorityP351critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
1.31%
67.0th percentile
HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. Fixed in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hashicorp | vault | — | — |
| hashicorp | vault | 1.10.0 – 1.10.4 | — |
| hashicorp | vault | 1.7.0 – 1.9.7 | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
vault: Vault Enterprise Does Not Verify Existing Voter Status When Joining An Integrated Storage HA Node
vendor_redhat·2022-07-27·CVSS 9.1
CVE-2022-36129 [CRITICAL] CWE-863 vault: Vault Enterprise Does Not Verify Existing Voter Status When Joining An Integrated Storage HA Node
vault: Vault Enterprise Does Not Verify Existing Voter Status When Joining An Integrated Storage HA Node
HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. Fixed in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1.
A flaw was found in HashiCorp Vault Enterprise which could allow a remote attacker to bypass security restrictions. This issue is caused by the failure to verify existing voter status when joining an Integrated Storage HA Node. By sending a specially crafted request, an attacker could override the voter status of a node within a Vault HA clust
GHSA
GHSA-c8mv-ccvj-9h5q: HashiCorp Vault and Vault Enterprise through 2022-07-17 have Incorrect Access Control
ghsa_unreviewed·2022-07-27
CVE-2022-36129 [CRITICAL] CWE-863 GHSA-c8mv-ccvj-9h5q: HashiCorp Vault and Vault Enterprise through 2022-07-17 have Incorrect Access Control
HashiCorp Vault and Vault Enterprise through 2022-07-17 have Incorrect Access Control.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://discuss.hashicorp.comhttps://discuss.hashicorp.com/t/hcsec-2022-15-vault-enterprise-does-not-verify-existing-voter-status-when-joining-an-integrated-storage-ha-node/42420https://security.netapp.com/advisory/ntap-20220901-0011/https://discuss.hashicorp.comhttps://discuss.hashicorp.com/t/hcsec-2022-15-vault-enterprise-does-not-verify-existing-voter-status-when-joining-an-integrated-storage-ha-node/42420https://security.netapp.com/advisory/ntap-20220901-0011/
2022-07-26
Published