GHSA-86c6-3g63-5w64

Suggest an improvement
Source
https://github.com/advisories/GHSA-86c6-3g63-5w64
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-86c6-3g63-5w64/GHSA-86c6-3g63-5w64.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-86c6-3g63-5w64
Aliases
Related
Published
2023-09-29T00:30:16Z
Modified
2024-08-21T14:56:58.896874Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability
Details

The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.

Database specific 
{
    "nvd_published_at": "2023-09-29T00:15:12Z",
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-29T20:38:23Z",
    "cwe_ids": [
        "CWE-266",
        "CWE-732"
    ],
    "severity": "HIGH"
}
References

Affected packages

Go / github.com/hashicorp/vault

Package

Name
github.com/hashicorp/vault
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/vault

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.13.0