Описание
Improper Input Validation in HashiCorp Vault
HashiCorp Vault and Vault Enterprise 1.4.x before 1.4.2 in Go package github.com/hashicorp/vault-plugin-secrets-gcp/plugin has Incorrect Access Control.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-12757
- https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/85
- https://github.com/hashicorp/vault-plugin-secrets-gcp/commit/e43d20870c50f7428dead1411debcec075b35fb4
- https://github.com/hashicorp/vault/blob/master/CHANGELOG.md
- https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#142-may-21st-2020
- https://www.hashicorp.com/blog/category/vault
Пакеты
github.com/hashicorp/vault-plugin-secrets-gcp
< 0.6.2
0.6.2
Связанные уязвимости
HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.
HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.