GHSA-23fq-q7hc-993r

Source

https://github.com/advisories/GHSA-23fq-q7hc-993r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-23fq-q7hc-993r/GHSA-23fq-q7hc-993r.json

Aliases

BIT-vault-2021-38553
CVE-2021-38553

Published

2021-08-30T17:22:53Z

Modified

2023-12-06T01:01:25.747512Z

Details

HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.

References

https://nvd.nist.gov/vuln/detail/CVE-2021-38553
https://discuss.hashicorp.com/t/hcsec-2021-20-vault-s-integrated-storage-backend-database-file-may-have-excessively-broad-permissions/28168
https://github.com/hashicorp/vault
https://security.gentoo.org/glsa/202207-01

Affected packages

Go / github.com/hashicorp/vault

Package

Name: github.com/hashicorp/vault

Affected ranges

Type: SEMVER
Events: Introduced

1.4.0

Fixed

1.8.0