cbcvebase.
CVE-2022-40186
published 2022-09-22

CVE-2022-40186: An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an…

PriorityP346critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.76%
50.7th percentile
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.

Affected

6 ranges
VendorProductVersion rangeFixed in
github.comhashicorp_vault>= 1.10.0 < 1.10.61.10.6
github.comhashicorp_vault>= 1.11.0 < 1.11.31.11.3
github.comhashicorp_vault>= 1.8.0 < 1.9.91.9.9
hashicorpvault>= 1.10.0 < 1.10.61.10.6
hashicorpvault>= 1.11.0 < 1.11.31.11.3
hashicorpvault>= 1.8.0 < 1.9.91.9.9

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.