#VU67534 Permissions, Privileges, and Access Controls in Vault and Vault Enterprise - CVE-2022-40186

Vulnerability identifier: #VU67534

Vulnerability risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-40186

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Vault
Web applications / Modules and components for CMS
Vault Enterprise
Web applications / Modules and components for CMS

Vendor: HashiCorp

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the application permits usage of entity aliases mapped to a single entity share with the same alias name. A local user can create a share with the same alias name as used by another user and wait for the other user to login. After the victim logs in, the attacker will be able to gain access to files metadata in the victim's share.

Successful exploitation of the vulnerability requires that templated ACL policy is enabled and that the policy uses alias.Name, which is derived from the alias name.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Vault: 1.8.0 - 1.8.12, 1.9.0 - 1.9.8, 1.10.0 - 1.11.2

Vault Enterprise: 1.8.0 - 1.8.12, 1.9.0 - 1.9.8, 1.10.0 - 1.11.2

---

External links
https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.