GHSA-9mh8-9j64-443f

Source

https://github.com/advisories/GHSA-9mh8-9j64-443f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-9mh8-9j64-443f/GHSA-9mh8-9j64-443f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9mh8-9j64-443f

Aliases

Related

Published

2023-07-06T19:24:01Z

Modified

2024-08-20T20:58:52.064443Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

HashiCorp Vault's revocation list not respected

Details

HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.

Database specific

{
    "nvd_published_at": "2022-10-12T21:15:00Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-06T21:18:06Z"
}

References

Affected packages

Go / github.com/hashicorp/vault

Package

Name: github.com/hashicorp/vault; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/vault

Affected ranges

Type: SEMVER
Events: Introduced

1.11.0

Fixed

1.11.4

Go / github.com/hashicorp/vault

Package

Name: github.com/hashicorp/vault; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/vault

Affected ranges

Type: SEMVER
Events: Introduced

1.10.0

Fixed

1.10.7

Go / github.com/hashicorp/vault

Package

Name: github.com/hashicorp/vault; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/vault

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.10