Описание
A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
A flaw was found in github.com/hashicorp/vault. This vulnerability allows a privileged Vault operator with write access to the sys/audit endpoint to achieve code execution on the host system if a plugin directory is configured. This issue arises from the operator's ability to write malicious code into the plugin directory. Exploitation occurs through the execution of malicious plugin code, allowing an attacker to gain unauthorized control of the underlying host.
Отчет
The impact has been set to Important rather than Critical as this vulnerability requires a privileged user with write access to sys/audit in the root namespace. The execution also requires the SHA256 digest of the target file, which makes the attack complexity high. However, a malicious operator can possibly reproduce the file’s contents and compute its hash using the sys/audit-hash endpoint.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| cert-manager Operator for Red Hat OpenShift | cert-manager/cert-manager-operator-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-acmesolver-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Affected | ||
| external secrets operator for Red Hat OpenShift - Tech Preview | external-secrets-operator/external-secrets-operator-rhel9 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/cephcsi-rhel9 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-cli-rhel9 | Not affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-rhel9-operator | Not affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odf-cli-rhel9 | Affected | ||
| Red Hat Trusted Artifact Signer | rhtas/client-server-rhel9 | Will not fix | ||
| Red Hat Trusted Artifact Signer | rhtas/fulcio-rhel9 | Will not fix |
Показывать по
Дополнительная информация
Статус:
8 High
CVSS3
Связанные уязвимости
A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration
Уязвимость компонента sys/audit платформ для архивирования корпоративной информации Vault Enterprise и Vault Community Edition, позволяющая нарушителю получить несанкционированный доступ на выполнение произвольного кода
8 High
CVSS3