Описание
Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
A flaw was found in github.com/hashicorp/vault. The user lockout feature for Userpass and LDAP authentication methods can be bypassed, allowing an attacker to circumvent account lockout restrictions. This circumvention occurs without requiring prior authentication or knowledge of user credentials. This vulnerability allows an unauthorized actor to potentially gain access to resources usually protected by the lockout mechanism. This bypass affects authentication processes and may result in unauthorized access.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| cert-manager Operator for Red Hat OpenShift | cert-manager/cert-manager-operator-rhel9 | Fix deferred | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-acmesolver-rhel9 | Fix deferred | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Fix deferred | ||
| external secrets operator for Red Hat OpenShift - Tech Preview | external-secrets-operator/external-secrets-operator-rhel9 | Fix deferred | ||
| Red Hat Openshift Data Foundation 4 | odf4/cephcsi-rhel9 | Will not fix | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-cli-rhel9 | Will not fix | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-rhel9-operator | Will not fix | ||
| Red Hat Openshift Data Foundation 4 | odf4/odf-cli-rhel9 | Will not fix | ||
| Red Hat Trusted Artifact Signer | rhtas/client-server-rhel9 | Will not fix | ||
| Red Hat Trusted Artifact Signer | rhtas/fulcio-rhel9 | Will not fix |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Hashicorp Vault has Lockout Feature Authentication Bypass
Уязвимость механизма блокировки пользователя платформ для архивирования корпоративной информации Vault Enterprise и Vault Community Edition, позволяющая нарушителю обойти существующие ограничения безопасности
5.3 Medium
CVSS3