CVE-2020-12757

Опубликовано: 21 мая 2020

Источник: redhat

CVSS3: 7.3

EPSS Низкий

Описание

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.

A flaw was found in the HashiCorp Vault. The HashiCorp Vault and Vault Enterprise could allow a remote attacker to bypass security restrictions caused by incorrect access control in the secrets/gcp. By sending a specially crafted request, an attacker can bypass access restrictions.

Затронутые пакеты

Платформа	Пакет	Состояние
Logging Subsystem for Red Hat OpenShift	openshift-logging/logging-loki-rhel8	Not affected
Red Hat OpenShift Container Platform 4	openshift4/ose-installer	Not affected
Red Hat OpenShift Container Platform 4	openshift4/topology-aware-lifecycle-manager-rhel8-operator	Not affected
Red Hat Openshift Container Storage 4	ocs4/cephcsi-rhel8	Out of support scope
Red Hat Openshift Container Storage 4	ocs4/mcg-rhel8-operator	Out of support scope
Red Hat Openshift Container Storage 4	ocs4/ocs-rhel8-operator	Out of support scope
Red Hat Openshift Container Storage 4	ocs4/rook-ceph-rhel8-operator	Out of support scope
Red Hat Openshift Data Foundation 4	odf4/cephcsi-rhel9	Not affected
Red Hat Openshift Data Foundation 4	odf4/mcg-rhel9-operator	Not affected
Red Hat Openshift Data Foundation 4	odf4/ocs-rhel9-operator	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-404

https://bugzilla.redhat.com/show_bug.cgi?id=2167400vault: GCP Credentials are created with incorrect time-to-live lease duration

EPSS

Процентиль: 58%

0.00365

Низкий

7.3 High

CVSS3

Связанные уязвимости

CVE-2020-12757

CVSS3: 9.8

nvd

больше 5 лет назад

GHSA-75pc-qvwc-jf3g