Описание
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.
A flaw was found in the HashiCorp vault. Affected versions may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. In some situations, users may have more privileges than intended.
Отчет
This vulnerability is related to the Vault’s Google Cloud secrets engine documentation update. The Vault operators using the Google Cloud secrets engine should review their Vault policies to ensure they meet their requirements and adhere to the principle of least privilege. More can be found in the official HashiCorp article for this vulnerability: https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards/30422 Due to the nature of this vulnerability Red Hat components that use Vault are set as "Not affected".
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel8 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-installer | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/topology-aware-lifecycle-manager-rhel8-operator | Not affected | ||
| Red Hat Openshift Container Storage 4 | ocs4/cephcsi-rhel8 | Not affected | ||
| Red Hat Openshift Container Storage 4 | ocs4/mcg-rhel8-operator | Not affected | ||
| Red Hat Openshift Container Storage 4 | ocs4/ocs-rhel8-operator | Not affected | ||
| Red Hat Openshift Container Storage 4 | ocs4/rook-ceph-rhel8-operator | Not affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/cephcsi-rhel9 | Not affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-rhel9-operator | Not affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/ocs-rhel9-operator | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.
Incorrect Privilege Assignment in HashiCorp Vault
EPSS
8.1 High
CVSS3