HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.
2021-10-08T17:15:07.853
2024-11-21T06:26:47.460
Modified
CVSSv3.1: 2.9 (LOW)
AV:N/AC:L/Au:S/C:P/I:P/A:N
8.0
4.9
Type | Vendor | Product | Version/Range | Vulnerable? |
---|---|---|---|---|
Application | hashicorp | vault | < 1.7.5 | Yes |
Application | hashicorp | vault | < 1.7.5 | Yes |
Application | hashicorp | vault | < 1.8.4 | Yes |
Application | hashicorp | vault | < 1.8.4 | Yes |