Information disclosure in HashiCorp Vault

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU67534

Risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-40186

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the application permits usage of entity aliases mapped to a single entity share with the same alias name. A local user can create a share with the same alias name as used by another user and wait for the other user to login. After the victim logs in, the attacker will be able to gain access to files metadata in the victim's share.

Successful exploitation of the vulnerability requires that templated ACL policy is enabled and that the policy uses alias.Name, which is derived from the alias name.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Vault: 1.8.0 - 1.11.2

Vault Enterprise: 1.8.0 - 1.11.2

CPE2.3

• cpe:2.3:a:hashicorp:vault:1.8.12:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:vault:1.9.8:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:vault:1.11.2:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:vault_enterprise:1.8.12:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:vault_enterprise:1.9.8:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:vault_enterprise:1.11.2:*:*:*:*:*:*:*

External links

https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.