GHSA-9mh8-9j64-443f

Suggest an improvement
Source
https://github.com/advisories/GHSA-9mh8-9j64-443f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-9mh8-9j64-443f/GHSA-9mh8-9j64-443f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9mh8-9j64-443f
Aliases
Related
Published
2023-07-06T19:24:01Z
Modified
2023-12-06T01:02:36.199325Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
HashiCorp Vault's revocation list not respected
Details

HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.

References

Affected packages

Go / github.com/hashicorp/vault

Package

Name
github.com/hashicorp/vault
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/vault

Affected ranges

Type
SEMVER
Events
Introduced
1.11.0
Fixed
1.11.4

Go / github.com/hashicorp/vault

Package

Name
github.com/hashicorp/vault
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/vault

Affected ranges

Type
SEMVER
Events
Introduced
1.10.0
Fixed
1.10.7

Go / github.com/hashicorp/vault

Package

Name
github.com/hashicorp/vault
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/vault

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.10