GHSA-7cgv-v83v-rr87

Source
https://github.com/advisories/GHSA-7cgv-v83v-rr87
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-7cgv-v83v-rr87/GHSA-7cgv-v83v-rr87.json
Aliases
Published
2022-09-23T00:00:46Z
Modified
2023-12-06T01:02:34.223467Z
Details

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.

References

Affected packages

Go / github.com/hashicorp/vault

Affected ranges

Type
SEMVER
Events
Introduced
1.11.0
Fixed
1.11.3

Go / github.com/hashicorp/vault

Affected ranges

Type
SEMVER
Events
Introduced
1.10.0
Fixed
1.10.6

Go / github.com/hashicorp/vault

Affected ranges

Type
SEMVER
Events
Introduced
1.8.0
Fixed
1.9.9