Описание
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.
A flaw was found in the Hashicorp vault. When using the Vault and Vault Enterprise approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of another role by providing the secret ID accessor.
Затронутые пакеты
Платформа | Пакет | Состояние | Рекомендация | Релиз |
---|---|---|---|---|
Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel8 | Not affected | ||
Red Hat OpenShift Container Platform 4 | openshift4/ose-installer | Not affected | ||
Red Hat OpenShift Container Platform 4 | openshift4/topology-aware-lifecycle-manager-rhel8-operator | Not affected | ||
Red Hat Openshift Container Storage 4 | ocs4/cephcsi-rhel8 | Out of support scope | ||
Red Hat Openshift Container Storage 4 | ocs4/mcg-rhel8-operator | Out of support scope | ||
Red Hat Openshift Container Storage 4 | ocs4/ocs-rhel8-operator | Out of support scope | ||
Red Hat Openshift Container Storage 4 | ocs4/rook-ceph-rhel8-operator | Out of support scope | ||
Red Hat Openshift Data Foundation 4 | odf4/cephcsi-rhel9 | Not affected | ||
Red Hat Openshift Data Foundation 4 | odf4/mcg-rhel9-operator | Affected | ||
Red Hat Openshift Data Foundation 4 | odf4/ocs-rhel9-operator | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.
Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation
Уязвимость платформ для архивирования корпоративной информации HashiCorp Vault и Vault Enterprise, связанная с недостатками механизма авторизации, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
8.1 High
CVSS3