Fluid Attacks Database

Description

Incorrect Privilege Assignment in HashiCorp Vault HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/hashicorp/vault	>=1.8.0 <=1.8.4	1.8.5

Aliases

1. CVE-2021-421352. NVD-2021-421353. OSV-2021-421354. GCVE-2021-42135

References

1. https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards2. https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#180

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.