CVE-2022-41316
published 2022-10-12CVE-2022-41316: HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on…
PriorityP426medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.40%
31.4th percentile
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 0 < 1.9.10 | 1.9.10 |
| github.com | hashicorp_vault | >= 1.10.0 < 1.10.7 | 1.10.7 |
| github.com | hashicorp_vault | >= 1.11.0 < 1.11.4 | 1.11.4 |
| hashicorp | vault | < 1.9.10 | 1.9.10 |
| hashicorp | vault | >= 1.10.0 < 1.10.7 | 1.10.7 |
| hashicorp | vault | >= 1.11.0 < 1.11.4 | 1.11.4 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault
osv·2024-08-20
CVE-2022-41316 HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault
HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault
HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault
GHSA
HashiCorp Vault's revocation list not respected
ghsa·2023-07-06
CVE-2022-41316 [MEDIUM] CWE-295 HashiCorp Vault's revocation list not respected
HashiCorp Vault's revocation list not respected
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
OSV
HashiCorp Vault's revocation list not respected
osv·2023-07-06
CVE-2022-41316 [MEDIUM] HashiCorp Vault's revocation list not respected
HashiCorp Vault's revocation list not respected
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
Red Hat
vault: insufficient certificate revocation list checking
vendor_redhat·2022-10-12·CVSS 5.3
CVE-2022-41316 [MEDIUM] CWE-295 vault: insufficient certificate revocation list checking
vault: insufficient certificate revocation list checking
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
A flaw was found in HashiCorp Vault and Vault Enterprise. Vault’s TLS certificate auth method did not initially load the optionally-configured CRL issued by the role’s Certificate Authority (CA) into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved.
Package: openshift-logging/logging-loki-rhel8 (Logging Subsystem for Red Hat OpenShift) - Not affected
Package: rhacm2/cluster-
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://discuss.hashicorp.comhttps://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483https://security.netapp.com/advisory/ntap-20221201-0001/https://discuss.hashicorp.comhttps://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483https://security.netapp.com/advisory/ntap-20221201-0001/
2022-10-12
Published