HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.
CVE-2021-32923 - High Severity Vulnerability
A tool for secrets management, encryption as a service, and privileged access management
Library home page: https://github.com/hashicorp/vault.git
Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b
Found in base branch: master
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.
Publish Date: 2021-06-03
URL: CVE-2021-32923
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603
Release Date: 2021-06-03
Fix Resolution: https://github.com/hashicorp/vault - v1.5.9,v1.6.5,v1.7.2
Step up your Open Source Security Game with Mend here