Описание
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
A flaw was found in the vault package. The Vault UI web application may fail to completely clear a client-side data cache on user logout. As a result, an authenticated user sharing a browser to access Vault may have been able to view the previous authenticated user’s cached secrets, even if they were not authorized by Vault policies to view them.
Отчет
The Vault deployments that do not enable the Vault UI are not affected by this issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel8 | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | vault | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-installer | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/topology-aware-lifecycle-manager-rhel8-operator | Will not fix | ||
| Red Hat Openshift Container Storage 4 | ocs4/cephcsi-rhel8 | Out of support scope | ||
| Red Hat Openshift Container Storage 4 | ocs4/mcg-rhel8-operator | Out of support scope | ||
| Red Hat Openshift Container Storage 4 | ocs4/ocs-rhel8-operator | Out of support scope | ||
| Red Hat Openshift Container Storage 4 | ocs4/rook-ceph-rhel8-operator | Out of support scope | ||
| Red Hat Openshift Data Foundation 4 | odf4/cephcsi-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault
5.3 Medium
CVSS3