GHSA-362v-wg5p-64w2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-362v-wg5p-64w2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-362v-wg5p-64w2/GHSA-362v-wg5p-64w2.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-362v-wg5p-64w2
- Aliases
- Published
- 2021-10-12T18:41:16Z
- Modified
- 2024-08-21T15:27:25.475886Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Incorrect Privilege Assignment in HashiCorp Vault
- Details
-
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.
- Database specific
{ "nvd_published_at": "2021-10-11T03:15:00Z", "cwe_ids": [ "CWE-266", "CWE-863" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-10-12T16:53:55Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-42135
- https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards
- https://github.com/hashicorp/vault
- https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#180
Affected packages
Go / github.com/hashicorp/vault
Package
- Name
- github.com/hashicorp/vault
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/hashicorp/vault