Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tOTc5LXc5d2otcWZqOc4AA489
HashiCorp Vault Improper Privilege Management
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
Permalink: https://github.com/advisories/GHSA-m979-w9wj-qfj9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tOTc5LXc5d2otcWZqOc4AA489
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-m979-w9wj-qfj9, CVE-2020-10660
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-10660
- https://github.com/hashicorp/vault/pull/8606
- https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a
- https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020
- https://www.hashicorp.com/blog/category/vault/
- https://github.com/advisories/GHSA-m979-w9wj-qfj9
Blast Radius: 1.0
Affected Packages
go:github.com/hashicorp/vault/vault
Affected Version Ranges: >= 0.9.0, < 1.3.4Fixed in: 1.3.4