First published: Wed Oct 12 2022(Updated: )
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
HashiCorp Vault | <1.9.10 | |
HashiCorp Vault | <1.9.10 | |
HashiCorp Vault | >=1.10.0<1.10.7 | |
HashiCorp Vault | >=1.10.0<1.10.7 | |
HashiCorp Vault | >=1.11.0<1.11.4 | |
HashiCorp Vault | >=1.11.0<1.11.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID of this flaw is CVE-2022-41316.
The severity of CVE-2022-41316 is medium, with a severity value of 5.3.
HashiCorp Vault and Vault Enterprise versions up to 1.12.0 are affected by CVE-2022-41316.
To fix CVE-2022-41316, upgrade your HashiCorp Vault or Vault Enterprise to version 1.12.0 or later.
You can find more information about CVE-2022-41316 on the following websites: - [HashiCorp Discussion Forum](https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483) - [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2022:7399)