Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05bWg4LTlqNjQtNDQzZs4AA0RO
HashiCorp Vault's revocation list not respected
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
Permalink: https://github.com/advisories/GHSA-9mh8-9j64-443fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05bWg4LTlqNjQtNDQzZs4AA0RO
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-9mh8-9j64-443f, CVE-2022-41316
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-41316
- https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483
- https://github.com/advisories/GHSA-9mh8-9j64-443f
Affected Packages
go:github.com/hashicorp/vault
Versions: < 1.9.10, >= 1.10.0, < 1.10.7, >= 1.11.0, < 1.11.4Fixed in: 1.9.10, 1.10.7, 1.11.4