First published: Fri Oct 08 2021(Updated: )
HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
HashiCorp Vault | <1.7.5 | |
HashiCorp Vault | <1.7.5 | |
HashiCorp Vault | >=1.8.0<1.8.4 | |
HashiCorp Vault | >=1.8.0<1.8.4 | |
<1.7.5 | ||
<1.7.5 | ||
>=1.8.0<1.8.4 | ||
>=1.8.0<1.8.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2021-41802.
The affected software is HashiCorp Vault and Vault Enterprise versions up to 1.7.4 and 1.8.3.
The severity of CVE-2021-41802 is medium with a severity score of 5.4.
CVE-2021-41802 allows a user with write permission to acquire another user's policies by merging their identities.
To fix CVE-2021-41802, update to HashiCorp Vault and Vault Enterprise versions 1.7.5 and 1.8.4.