Описание
HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.
A flaw was found in HashiCorp Vault Enterprise. This flaw allows a remote attacker to obtain sensitive information caused by improper authentication validation by the /sys/license endpoint. By sending a specially-crafted HTTP request, an attacker can obtain license metadata from DR secondaries and use this information to launch further attacks against the affected system.
Отчет
Red Hat Products are not affected by this CVE as this CVE only affects HashiCorp Vault Enterprise versions.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel8 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-installer | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/topology-aware-lifecycle-manager-rhel8-operator | Not affected | ||
| Red Hat Openshift Container Storage 4 | ocs4/cephcsi-rhel8 | Not affected | ||
| Red Hat Openshift Container Storage 4 | ocs4/mcg-rhel8-operator | Not affected | ||
| Red Hat Openshift Container Storage 4 | ocs4/ocs-rhel8-operator | Not affected | ||
| Red Hat Openshift Container Storage 4 | ocs4/rook-ceph-rhel8-operator | Not affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/cephcsi-rhel9 | Not affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-rhel9-operator | Not affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/ocs-rhel9-operator | Not affected |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.
HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.
5.3 Medium
CVSS3