Описание
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
A flaw was found in HashiCorp Vault and Vault Enterprise. This flaw allows a remote attacker to obtain sensitive information. By sending a specially-crafted request, a remote attacker can perform enumeration of the Secrets Engine mount paths.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | openshift4/ose-installer | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/topology-aware-lifecycle-manager-rhel8-operator | Not affected | ||
| Red Hat Openshift Container Storage 4 | ocs4/cephcsi-rhel8 | Out of support scope | ||
| Red Hat Openshift Container Storage 4 | ocs4/mcg-rhel8-operator | Out of support scope | ||
| Red Hat Openshift Container Storage 4 | ocs4/ocs-must-gather-rhel8 | Out of support scope | ||
| Red Hat Openshift Container Storage 4 | ocs4/ocs-rhel8-operator | Out of support scope | ||
| Red Hat Openshift Container Storage 4 | ocs4/rook-ceph-rhel8-operator | Out of support scope | ||
| Red Hat Openshift Data Foundation 4 | odf4/cephcsi-rhel9 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-rhel9-operator | Not affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/ocs-rhel9-operator | Not affected |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=2189536vault: API Endpoint Allowed Enumeration of Secrets Engine Mount Paths Without Authentication
EPSS
Процентиль: 64%
0.00481
Низкий
5.3 Medium
CVSS3
Связанные уязвимости
CVSS3: 5.3
nvd
около 5 лет назад
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
EPSS
Процентиль: 64%
0.00481
Низкий
5.3 Medium
CVSS3