CVE-2022-40186

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-40186

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-40186.json

Aliases

BIT-vault-2022-40186
GHSA-7cgv-v83v-rr87

Published

2022-09-22T01:15:12Z

Modified

2023-12-06T01:02:34.223467Z

Details

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.

References

https://discuss.hashicorp.com
https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550
https://security.netapp.com/advisory/ntap-20221111-0008/

Affected packages

Git / github.com/hashicorp/vault

Affected ranges

Type: GIT
Repo: https://github.com/hashicorp/vault
Events: Introduced

82a99f14eb6133f99a975e653d4dac21c17505c7

Fixed

9c11f0a48a8995ea2976039dcc5197b3350bcf42

Introduced

b97ec4912502a9f822151a6b0946df94946f8a53