GHSA-hwc3-3qh6-r4gg

Source

https://github.com/advisories/GHSA-hwc3-3qh6-r4gg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-hwc3-3qh6-r4gg/GHSA-hwc3-3qh6-r4gg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hwc3-3qh6-r4gg

Aliases

Related

Published

2023-03-30T03:30:38Z

Modified

2024-08-20T20:58:39.031595Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator

Summary

HashiCorp Vault's PKI mount vulnerable to denial of service

Details

HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

Database specific

{
    "nvd_published_at": "2023-03-30T01:15:00Z",
    "cwe_ids": [
        "CWE-285"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-07T19:22:54Z"
}

References

Affected packages

Go / github.com/hashicorp/vault

Package

Name: github.com/hashicorp/vault; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/vault

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.11.9

Go / github.com/hashicorp/vault

Package

Name: github.com/hashicorp/vault; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/vault

Affected ranges

Type: SEMVER
Events: Introduced

1.12.0

Fixed

1.12.5

Go / github.com/hashicorp/vault

Package

Name: github.com/hashicorp/vault; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/vault

Affected ranges

Type: SEMVER
Events: Introduced

1.13.0

Fixed

1.13.1