CVE-2021-42135
First published: Mon Oct 11 2021(Updated: )
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| HashiCorp Vault | >=1.8.0<=1.8.4 | |
| HashiCorp Vault | >=1.8.0<=1.8.4 | |
| >=1.8.0<=1.8.4 | ||
| >=1.8.0<=1.8.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-42135.
What is the severity of CVE-2021-42135?
The severity of CVE-2021-42135 is high with a severity value of 8.1.
Which versions of HashiCorp Vault are affected by CVE-2021-42135?
HashiCorp Vault and Vault Enterprise versions 1.8.0 through 1.8.4 are affected by CVE-2021-42135.
What is the impact of CVE-2021-42135?
The vulnerability may result in users having more privileges than intended in certain situations.
Is there a fix available for CVE-2021-42135?
It is recommended to upgrade to a version of HashiCorp Vault that is not affected, such as version 1.8.5 or later.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/severity
- agent/first-publish-date
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/author
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/hashicorp
- canonical/hashicorp vault
- version/hashicorp vault/1.8.0
- version/hashicorp vault/1.8.4