Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qNnZ2LXZ2MjYtcmg3Y84AA488
HashiCorp Vault Improper Privilege Management
HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.
Permalink: https://github.com/advisories/GHSA-j6vv-vv26-rh7cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNnZ2LXZ2MjYtcmg3Y84AA488
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-j6vv-vv26-rh7c, CVE-2020-10661
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-10661
- https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a
- https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020
- https://www.hashicorp.com/blog/category/vault/
- https://github.com/advisories/GHSA-j6vv-vv26-rh7c
Blast Radius: 1.0
Affected Packages
go:github.com/hashicorp/vault/vault
Affected Version Ranges: >= 0.11.0, < 1.3.4Fixed in: 1.3.4