GHSA-pfmw-vj74-ph8g

Suggest an improvement
Source
https://github.com/advisories/GHSA-pfmw-vj74-ph8g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-pfmw-vj74-ph8g/GHSA-pfmw-vj74-ph8g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pfmw-vj74-ph8g
Aliases
Published
2021-12-02T17:48:30Z
Modified
2023-12-06T01:01:40.896123Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
HashiCorp Vault Incorrect Permission Assignment for Critical Resource
Details

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

References

Affected packages

Go / github.com/hashicorp/vault

Package

Name
github.com/hashicorp/vault
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/vault

Affected ranges

Type
SEMVER
Events
Introduced
0.11.0
Fixed
1.7.6

Go / github.com/hashicorp/vault

Package

Name
github.com/hashicorp/vault
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/vault

Affected ranges

Type
SEMVER
Events
Introduced
1.8.0
Fixed
1.8.5