CVE-2022-25243
First published: Thu Mar 10 2022(Updated: )
"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| HashiCorp Vault | >=1.8.0<1.8.9 | |
| HashiCorp Vault | >=1.8.0<1.8.9 | |
| HashiCorp Vault | >=1.9.0<1.9.4 | |
| HashiCorp Vault | >=1.9.0<1.9.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2022-25243.
What is the severity of CVE-2022-25243?
The severity of CVE-2022-25243 is medium with a CVSS score of 6.5.
Which versions of Vault and Vault Enterprise are affected by CVE-2022-25243?
Vault and Vault Enterprise versions 1.8.0 through 1.8.8 and 1.9.0 through 1.9.3 are affected by CVE-2022-25243.
What is the impact of CVE-2022-25243?
CVE-2022-25243 allows the PKI secrets engine to issue wildcard certificates to authorized users for a specified domain, even if the allow_subdomains attribute is set to false.
How can I fix CVE-2022-25243?
You can fix CVE-2022-25243 by upgrading to Vault Enterprise version 1.8.9 or 1.9.4.
- collector/nvd-index
- vendor/hashicorp
- canonical/hashicorp vault
- version/hashicorp vault/1.8.0
- version/hashicorp vault/1.9.0