Описание
Token leases could outlive their TTL in HashiCorp Vault
HashiCorp Vault and Vault Enterprise 1.0 before 1.5.4 have Incorrect Access Control.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-25816
- https://github.com/hashicorp/vault/pull/10020/commits/f192878110fe93eb13da914b2bee28caa7866a29
- https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#147
- https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#154
- https://www.hashicorp.com/blog/category/vault
Пакеты
Наименование
github.com/hashicorp/vault
go
Затронутые версииВерсия исправления
>= 1.0.0-beta1, < 1.5.4
1.5.4
Связанные уязвимости
CVSS3: 6.8
redhat
больше 5 лет назад
HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4.
CVSS3: 6.8
nvd
больше 5 лет назад
HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4.