logo

Database

Improper authorization control for web services In github.com/hashicorp/vault

Description

HashiCorp Vault vulnerable to incorrect metadata access An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-401862. NVD-2022-401863. OSV-2022-401864. GCVE-2022-40186

References

1. https://discuss.hashicorp.com2. https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/445503. https://github.com/hashicorp/vault4. https://security.netapp.com/advisory/ntap-20221111-0008

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.