CVE-2021-45042

Опубликовано: 13 дек. 2021

Источник: redhat

CVSS3: 4.9

Описание

In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0.

A denial of service attack was discovered against vault. For clusters using the Integrated Storage (Raft) backend, an authenticated user with write permissions to the KV secrets engine can cause a panic leading to a denial of service of the storage backend, by supplying a key larger than 32KB.

Затронутые пакеты

Платформа	Пакет	Состояние
Logging Subsystem for Red Hat OpenShift	openshift-logging/logging-loki-rhel8	Not affected
Red Hat Advanced Cluster Management for Kubernetes 2	hashicorp/vault	Not affected
Red Hat OpenShift Container Platform 4	openshift4/ose-installer	Not affected
Red Hat OpenShift Container Platform 4	openshift4/topology-aware-lifecycle-manager-rhel8-operator	Not affected
Red Hat Openshift Container Storage 4	ocs4/cephcsi-rhel8	Not affected
Red Hat Openshift Container Storage 4	ocs4/mcg-rhel8-operator	Not affected
Red Hat Openshift Container Storage 4	ocs4/ocs-rhel8-operator	Not affected
Red Hat Openshift Container Storage 4	ocs4/rook-ceph-rhel8-operator	Not affected
Red Hat Openshift Data Foundation 4	mcg	Not affected
Red Hat Openshift Data Foundation 4	noobaa-operator-container	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-400

https://bugzilla.redhat.com/show_bug.cgi?id=2034914vault: clusters using the integrated storage backend allowed an authenticated user to cause a DoS of the storage backend

4.9 Medium

CVSS3

Связанные уязвимости

CVE-2021-45042

CVSS3: 4.9

nvd

около 4 лет назад

GHSA-cr6r-4g38-f69g

CVSS3: 4.9

github

около 4 лет назад

4.9 Medium

CVSS3