CVE-2022-41316Improper Certificate Validation in Hashicorp Vault

CWE-295Improper Certificate Validation5 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 58.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Hashicorp VaultHashicorp Vault
Timeline
PublishedOct 12
Latest updateAug 20

Description

HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDhashicorp/vault1.10.01.10.7+2
Gogithub.com/hashicorp_vault1.10.01.10.7+2

🔴Vulnerability Details

3
OSV
HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault2024-08-20
GHSA
HashiCorp Vault's revocation list not respected2023-07-06
OSV
HashiCorp Vault's revocation list not respected2023-07-06

📋Vendor Advisories

1
Red Hat
vault: insufficient certificate revocation list checking2022-10-12