#VU66115 Permissions, Privileges, and Access Controls in Vault and Vault Enterprise - CVE-2021-43998

Cybersecurity Help s.r.o.

Published: 2022-08-04

Vulnerability identifier: #VU66115

Vulnerability risk: Medium

CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-43998

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Vault
Web applications / Modules and components for CMS
Vault Enterprise
Web applications / Modules and components for CMS

Vendor: HashiCorp

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to templated ACL policies always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination. A remote user can trigger incorrect policy enforcement.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Vault: 1.7.0 - 1.7.5, 1.8.0 - 1.8.4

Vault Enterprise: 1.7.0 - 1.7.5, 1.8.0 - 1.8.4

External links
https://discuss.hashicorp.com/t/hcsec-2021-30-vaults-templated-acl-policies-matched-first-created-alias-per-entity-and-auth-backend/32132

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat OpenShift Data Foundation 4.13

OpenShift Container Platform 4.13 update for vault

Gentoo update for HashiCorp Vault

Security restrictions bypass in HashiCorp Vault