Fluid Attacks Database

Description

HashiCorp Vault Improper Privilege Management HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/hashicorp/vault/vault	>=0.11.0 <1.3.4	v1.3.4
go	github.com/hashicorp/vault	>=0.11.0 <1.3.4	1.3.4

Aliases

1. CVE-2020-106612. NVD-2020-106613. OSV-2020-106614. GHSA-j6vv-vv26-rh7c5. GCVE-2020-10661

References

1. https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a2. https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-20203. https://www.hashicorp.com/blog/category/vault/4. https://www.hashicorp.com/blog/category/vault

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.