pulumi / pulumi-aws

An Amazon Web Services (AWS) Pulumi resource package, providing multi-language access to AWS
Apache License 2.0
466 stars 157 forks source link

Update module github.com/hashicorp/vault to v1.18.1 [SECURITY] (master) - autoclosed #4813

Closed pulumi-renovate[bot] closed 4 days ago

pulumi-renovate[bot] commented 5 days ago

This PR contains the following updates:

Package Type Update Change
github.com/hashicorp/vault replace minor v1.2.0 -> v1.18.1

Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault

BIT-vault-2020-16250 / CVE-2020-16250 / GHSA-fp52-qw33-mfmw / GO-2022-0825

More information #### Details Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-fp52-qw33-mfmw](https://redirect.github.com/advisories/GHSA-fp52-qw33-mfmw) - [https://nvd.nist.gov/vuln/detail/CVE-2020-16250](https://nvd.nist.gov/vuln/detail/CVE-2020-16250) - [http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.html](http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.html) - [https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151](https://redirect.github.com/hashicorp/vault/blob/master/CHANGELOG.md#151) - [https://www.hashicorp.com/blog/category/vault](https://www.hashicorp.com/blog/category/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2022-0825) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

HashiCorp Vault Authentication bypass in github.com/hashicorp/vault

BIT-vault-2020-16251 / CVE-2020-16251 / GHSA-4mp7-2m29-gqxf / GO-2024-2488

More information #### Details HashiCorp Vault Authentication bypass in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-4mp7-2m29-gqxf](https://redirect.github.com/advisories/GHSA-4mp7-2m29-gqxf) - [https://nvd.nist.gov/vuln/detail/CVE-2020-16251](https://nvd.nist.gov/vuln/detail/CVE-2020-16251) - [http://packetstormsecurity.com/files/159479/Hashicorp-Vault-GCP-IAM-Integration-Authentication-Bypass.html](http://packetstormsecurity.com/files/159479/Hashicorp-Vault-GCP-IAM-Integration-Authentication-Bypass.html) - [https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151](https://redirect.github.com/hashicorp/vault/blob/master/CHANGELOG.md#151) - [https://www.hashicorp.com/blog/category/vault](https://www.hashicorp.com/blog/category/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2488) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

HashiCorp Vault Authentication bypass

BIT-vault-2020-16251 / CVE-2020-16251 / GHSA-4mp7-2m29-gqxf / GO-2024-2488

More information #### Details HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1. #### Severity - CVSS Score: 8.2 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-16251](https://nvd.nist.gov/vuln/detail/CVE-2020-16251) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) - [https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151](https://redirect.github.com/hashicorp/vault/blob/master/CHANGELOG.md#151) - [https://www.hashicorp.com/blog/category/vault](https://www.hashicorp.com/blog/category/vault) - [http://packetstormsecurity.com/files/159479/Hashicorp-Vault-GCP-IAM-Integration-Authentication-Bypass.html](http://packetstormsecurity.com/files/159479/Hashicorp-Vault-GCP-IAM-Integration-Authentication-Bypass.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-4mp7-2m29-gqxf) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault

BIT-vault-2020-16250 / CVE-2020-16250 / GHSA-fp52-qw33-mfmw / GO-2022-0825

More information #### Details HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.. #### Severity - CVSS Score: 8.2 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-16250](https://nvd.nist.gov/vuln/detail/CVE-2020-16250) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) - [https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151](https://redirect.github.com/hashicorp/vault/blob/master/CHANGELOG.md#151) - [https://www.hashicorp.com/blog/category/vault](https://www.hashicorp.com/blog/category/vault) - [http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.html](http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-fp52-qw33-mfmw) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

Improper Resource Shutdown or Release in HashiCorp Vault

BIT-vault-2020-7220 / CVE-2020-7220 / GHSA-9vh5-r4qw-v3vv / GO-2022-0816

More information #### Details HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-7220](https://nvd.nist.gov/vuln/detail/CVE-2020-7220) - [https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#132-january-22nd-2020](https://redirect.github.com/hashicorp/vault/blob/master/CHANGELOG.md#132-january-22nd-2020) - [https://www.hashicorp.com/blog/category/vault](https://www.hashicorp.com/blog/category/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-9vh5-r4qw-v3vv) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault

BIT-vault-2020-7220 / CVE-2020-7220 / GHSA-9vh5-r4qw-v3vv / GO-2022-0816

More information #### Details Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-9vh5-r4qw-v3vv](https://redirect.github.com/advisories/GHSA-9vh5-r4qw-v3vv) - [https://nvd.nist.gov/vuln/detail/CVE-2020-7220](https://nvd.nist.gov/vuln/detail/CVE-2020-7220) - [https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#132-january-22nd-2020](https://redirect.github.com/hashicorp/vault/blob/master/CHANGELOG.md#132-january-22nd-2020) - [https://www.hashicorp.com/blog/category/vault](https://www.hashicorp.com/blog/category/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2022-0816) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

HashiCorp Vault Improper Privilege Management

BIT-vault-2020-10660 / CVE-2020-10660 / GHSA-m979-w9wj-qfj9 / GO-2024-2486

More information #### Details HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-10660](https://nvd.nist.gov/vuln/detail/CVE-2020-10660) - [https://github.com/hashicorp/vault/pull/8606](https://redirect.github.com/hashicorp/vault/pull/8606) - [https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a](https://redirect.github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) - [https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020](https://redirect.github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020) - [https://www.hashicorp.com/blog/category/vault](https://www.hashicorp.com/blog/category/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-m979-w9wj-qfj9) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault

BIT-vault-2020-10661 / CVE-2020-10661 / GHSA-j6vv-vv26-rh7c / GO-2024-2485

More information #### Details HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-j6vv-vv26-rh7c](https://redirect.github.com/advisories/GHSA-j6vv-vv26-rh7c) - [https://nvd.nist.gov/vuln/detail/CVE-2020-10661](https://nvd.nist.gov/vuln/detail/CVE-2020-10661) - [https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a](https://redirect.github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a) - [https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020](https://redirect.github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020) - [https://www.hashicorp.com/blog/category/vault](https://www.hashicorp.com/blog/category/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2485) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

HashiCorp Vault Improper Privilege Management

BIT-vault-2020-10661 / CVE-2020-10661 / GHSA-j6vv-vv26-rh7c / GO-2024-2485

More information #### Details HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4. #### Severity - CVSS Score: 9.1 / 10 (Critical) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-10661](https://nvd.nist.gov/vuln/detail/CVE-2020-10661) - [https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a](https://redirect.github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) - [https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020](https://redirect.github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020) - [https://www.hashicorp.com/blog/category/vault](https://www.hashicorp.com/blog/category/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-j6vv-vv26-rh7c) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault

BIT-vault-2020-10660 / CVE-2020-10660 / GHSA-m979-w9wj-qfj9 / GO-2024-2486

More information #### Details HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-m979-w9wj-qfj9](https://redirect.github.com/advisories/GHSA-m979-w9wj-qfj9) - [https://nvd.nist.gov/vuln/detail/CVE-2020-10660](https://nvd.nist.gov/vuln/detail/CVE-2020-10660) - [https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a](https://redirect.github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a) - [https://github.com/hashicorp/vault/pull/8606](https://redirect.github.com/hashicorp/vault/pull/8606) - [https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020](https://redirect.github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020) - [https://www.hashicorp.com/blog/category/vault](https://www.hashicorp.com/blog/category/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2486) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault

BIT-vault-2020-25816 / CVE-2020-25816 / GHSA-57gg-cj55-q5g2 / GO-2024-2514

More information #### Details Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-57gg-cj55-q5g2](https://redirect.github.com/advisories/GHSA-57gg-cj55-q5g2) - [https://nvd.nist.gov/vuln/detail/CVE-2020-25816](https://nvd.nist.gov/vuln/detail/CVE-2020-25816) - [https://github.com/hashicorp/vault/pull/10020/commits/f192878110fe93eb13da914b2bee28caa7866a29](https://redirect.github.com/hashicorp/vault/pull/10020/commits/f192878110fe93eb13da914b2bee28caa7866a29) - [https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#147](https://redirect.github.com/hashicorp/vault/blob/master/CHANGELOG.md#147) - [https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#154](https://redirect.github.com/hashicorp/vault/blob/master/CHANGELOG.md#154) - [https://www.hashicorp.com/blog/category/vault](https://www.hashicorp.com/blog/category/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2514) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

Invalid session token expiration in github.com/hashicorp/vault

BIT-vault-2021-32923 / CVE-2021-32923 / GHSA-38j9-7pp9-2hjw / GO-2022-0623

More information #### Details Invalid session token expiration in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-38j9-7pp9-2hjw](https://redirect.github.com/advisories/GHSA-38j9-7pp9-2hjw) - [https://nvd.nist.gov/vuln/detail/CVE-2021-32923](https://nvd.nist.gov/vuln/detail/CVE-2021-32923) - [https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603](https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603) - [https://security.gentoo.org/glsa/202207-01](https://security.gentoo.org/glsa/202207-01) - [https://www.hashicorp.com/blog/category/vault](https://www.hashicorp.com/blog/category/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2022-0623) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

Invalid session token expiration

BIT-vault-2021-32923 / CVE-2021-32923 / GHSA-38j9-7pp9-2hjw / GO-2022-0623

More information #### Details HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. #### Severity - CVSS Score: 7.4 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-32923](https://nvd.nist.gov/vuln/detail/CVE-2021-32923) - [https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603](https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603) - [https://security.gentoo.org/glsa/202207-01](https://security.gentoo.org/glsa/202207-01) - [https://www.hashicorp.com/blog/category/vault](https://www.hashicorp.com/blog/category/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-38j9-7pp9-2hjw) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault

BIT-vault-2021-38554 / CVE-2021-38554 / GHSA-6239-28c2-9mrm / GO-2022-0632

More information #### Details Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-6239-28c2-9mrm](https://redirect.github.com/advisories/GHSA-6239-28c2-9mrm) - [https://nvd.nist.gov/vuln/detail/CVE-2021-38554](https://nvd.nist.gov/vuln/detail/CVE-2021-38554) - [https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166](https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166) - [https://github.com/hashicorp/vault/releases/tag/v1.6.6](https://redirect.github.com/hashicorp/vault/releases/tag/v1.6.6) - [https://github.com/hashicorp/vault/releases/tag/v1.7.4](https://redirect.github.com/hashicorp/vault/releases/tag/v1.7.4) - [https://security.gentoo.org/glsa/202207-01](https://security.gentoo.org/glsa/202207-01) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2022-0632) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault

BIT-vault-2021-38554 / CVE-2021-38554 / GHSA-6239-28c2-9mrm / GO-2022-0632

More information #### Details HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-38554](https://nvd.nist.gov/vuln/detail/CVE-2021-38554) - [https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166](https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) - [https://github.com/hashicorp/vault/releases/tag/v1.6.6](https://redirect.github.com/hashicorp/vault/releases/tag/v1.6.6) - [https://github.com/hashicorp/vault/releases/tag/v1.7.4](https://redirect.github.com/hashicorp/vault/releases/tag/v1.7.4) - [https://security.gentoo.org/glsa/202207-01](https://security.gentoo.org/glsa/202207-01) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6239-28c2-9mrm) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

Hashicorp Vault Privilege Escalation Vulnerability in github.com/hashicorp/vault

BIT-vault-2021-41802 / CVE-2021-41802 / GHSA-qv95-g3gm-x542 / GO-2022-0618

More information #### Details Hashicorp Vault Privilege Escalation Vulnerability in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-qv95-g3gm-x542](https://redirect.github.com/advisories/GHSA-qv95-g3gm-x542) - [https://nvd.nist.gov/vuln/detail/CVE-2021-41802](https://nvd.nist.gov/vuln/detail/CVE-2021-41802) - [https://discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalation](https://discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalation) - [https://security.gentoo.org/glsa/202207-01](https://security.gentoo.org/glsa/202207-01) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2022-0618) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

Hashicorp Vault Privilege Escalation Vulnerability

BIT-vault-2021-41802 / CVE-2021-41802 / GHSA-qv95-g3gm-x542 / GO-2022-0618

More information #### Details HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4. #### Severity - CVSS Score: 2.9 / 10 (Low) - Vector String: `CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-41802](https://nvd.nist.gov/vuln/detail/CVE-2021-41802) - [https://discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalation](https://discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalation) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) - [https://security.gentoo.org/glsa/202207-01](https://security.gentoo.org/glsa/202207-01) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-qv95-g3gm-x542) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

HashiCorp Vault Incorrect Permission Assignment for Critical Resource in github.com/hashicorp/vault

BIT-vault-2021-43998 / CVE-2021-43998 / GHSA-pfmw-vj74-ph8g / GO-2022-0611

More information #### Details HashiCorp Vault Incorrect Permission Assignment for Critical Resource in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-pfmw-vj74-ph8g](https://redirect.github.com/advisories/GHSA-pfmw-vj74-ph8g) - [https://nvd.nist.gov/vuln/detail/CVE-2021-43998](https://nvd.nist.gov/vuln/detail/CVE-2021-43998) - [https://discuss.hashicorp.com/t/hcsec-2021-30-vaults-templated-acl-policies-matched-first-created-alias-per-entity-and-auth-backend/32132](https://discuss.hashicorp.com/t/hcsec-2021-30-vaults-templated-acl-policies-matched-first-created-alias-per-entity-and-auth-backend/32132) - [https://security.gentoo.org/glsa/202207-01](https://security.gentoo.org/glsa/202207-01) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2022-0611) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

HashiCorp Vault Incorrect Permission Assignment for Critical Resource

BIT-vault-2021-43998 / CVE-2021-43998 / GHSA-pfmw-vj74-ph8g / GO-2022-0611

More information #### Details HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0. #### Severity - CVSS Score: 9.1 / 10 (Critical) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2021-43998](https://nvd.nist.gov/vuln/detail/CVE-2021-43998) - [https://discuss.hashicorp.com/t/hcsec-2021-30-vaults-templated-acl-policies-matched-first-created-alias-per-entity-and-auth-backend/32132](https://discuss.hashicorp.com/t/hcsec-2021-30-vaults-templated-acl-policies-matched-first-created-alias-per-entity-and-auth-backend/32132) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) - [https://security.gentoo.org/glsa/202207-01](https://security.gentoo.org/glsa/202207-01) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-pfmw-vj74-ph8g) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

HashiCorp Vault's revocation list not respected

BIT-vault-2022-41316 / CVE-2022-41316 / GHSA-9mh8-9j64-443f / GO-2023-1897

More information #### Details HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2022-41316](https://nvd.nist.gov/vuln/detail/CVE-2022-41316) - [https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483](https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-9mh8-9j64-443f) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault

BIT-vault-2022-41316 / CVE-2022-41316 / GHSA-9mh8-9j64-443f / GO-2023-1897

More information #### Details HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-9mh8-9j64-443f](https://redirect.github.com/advisories/GHSA-9mh8-9j64-443f) - [https://nvd.nist.gov/vuln/detail/CVE-2022-41316](https://nvd.nist.gov/vuln/detail/CVE-2022-41316) - [https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483](https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-1897) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation

BIT-vault-2023-24999 / CVE-2023-24999 / GHSA-wmg5-g953-qqfw / GO-2023-1900

More information #### Details When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the `/auth/approle/role/:role_name/secret-id-accessor/destroy` endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999, has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. #### Severity - CVSS Score: 8.1 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-24999](https://nvd.nist.gov/vuln/detail/CVE-2023-24999) - [https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305](https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-wmg5-g953-qqfw) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation in github.com/hashicorp/vault

BIT-vault-2023-24999 / CVE-2023-24999 / GHSA-wmg5-g953-qqfw / GO-2023-1900

More information #### Details Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-wmg5-g953-qqfw](https://redirect.github.com/advisories/GHSA-wmg5-g953-qqfw) - [https://nvd.nist.gov/vuln/detail/CVE-2023-24999](https://nvd.nist.gov/vuln/detail/CVE-2023-24999) - [https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305](https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-1900) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

HashiCorp Vault's PKI mount vulnerable to denial of service in github.com/hashicorp/vault

BIT-vault-2023-0665 / CVE-2023-0665 / GHSA-hwc3-3qh6-r4gg / GO-2023-1708

More information #### Details HashiCorp Vault's PKI mount vulnerable to denial of service in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-hwc3-3qh6-r4gg](https://redirect.github.com/advisories/GHSA-hwc3-3qh6-r4gg) - [https://nvd.nist.gov/vuln/detail/CVE-2023-0665](https://nvd.nist.gov/vuln/detail/CVE-2023-0665) - [https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079/1](https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079/1) - [https://security.netapp.com/advisory/ntap-20230526-0008](https://security.netapp.com/advisory/ntap-20230526-0008) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-1708) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

HashiCorp Vault's PKI mount vulnerable to denial of service

BIT-vault-2023-0665 / CVE-2023-0665 / GHSA-hwc3-3qh6-r4gg / GO-2023-1708

More information #### Details HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9. #### Severity - CVSS Score: 6.5 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-0665](https://nvd.nist.gov/vuln/detail/CVE-2023-0665) - [https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079/1](https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079/1) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) - [https://security.netapp.com/advisory/ntap-20230526-0008](https://security.netapp.com/advisory/ntap-20230526-0008) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-hwc3-3qh6-r4gg) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

Cache-timing attacks in Shamir's secret sharing in github.com/hashicorp/vault

BIT-vault-2023-25000 / CVE-2023-25000 / GHSA-vq4h-9ghm-qmrr / GO-2023-1709

More information #### Details HashiCorp Vault's implementation of Shamir's secret sharing uses precomputed table lookups, and is vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. #### Severity Unknown #### References - [https://github.com/hashicorp/vault/pull/19495](https://redirect.github.com/hashicorp/vault/pull/19495) - [https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078](https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-1709) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

HashiCorp Vault's implementation of Shamir's secret sharing vulnerable to cache-timing attacks

BIT-vault-2023-25000 / CVE-2023-25000 / GHSA-vq4h-9ghm-qmrr / GO-2023-1709

More information #### Details HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9. #### Severity - CVSS Score: 4.7 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-25000](https://nvd.nist.gov/vuln/detail/CVE-2023-25000) - [https://github.com/hashicorp/vault/pull/19495](https://redirect.github.com/hashicorp/vault/pull/19495) - [https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078](https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) - [https://security.netapp.com/advisory/ntap-20230526-0008](https://security.netapp.com/advisory/ntap-20230526-0008) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-vq4h-9ghm-qmrr) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

HashiCorp Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File in github.com/hashicorp/vault

BIT-vault-2023-0620 / CVE-2023-0620 / GHSA-v3hp-mcj5-pg39 / GO-2023-1685

More information #### Details HashiCorp Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-v3hp-mcj5-pg39](https://redirect.github.com/advisories/GHSA-v3hp-mcj5-pg39) - [https://nvd.nist.gov/vuln/detail/CVE-2023-0620](https://nvd.nist.gov/vuln/detail/CVE-2023-0620) - [https://github.com/hashicorp/vault/pull/19591](https://redirect.github.com/hashicorp/vault/pull/19591) - [https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080/1](https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080/1) - [https://github.com/hashicorp/vault/releases/tag/v1.11.9](https://redirect.github.com/hashicorp/vault/releases/tag/v1.11.9) - [https://github.com/hashicorp/vault/releases/tag/v1.12.5](https://redirect.github.com/hashicorp/vault/releases/tag/v1.12.5) - [https://github.com/hashicorp/vault/releases/tag/v1.13.1](https://redirect.github.com/hashicorp/vault/releases/tag/v1.13.1) - [https://security.netapp.com/advisory/ntap-20230526-0008](https://security.netapp.com/advisory/ntap-20230526-0008) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-1685) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

HashiCorp Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File

BIT-vault-2023-0620 / CVE-2023-0620 / GHSA-v3hp-mcj5-pg39 / GO-2023-1685

More information #### Details HashiCorp Vault and Vault Enterprise versions 0.8.0 until 1.13.1 are vulnerable to an SQL injection attack when using the Microsoft SQL (MSSQL) Database Storage Backend. When configuring the MSSQL plugin, certain parameters are required to establish a connection (schema, database, and table) are not sanitized when passed to the user-provided MSSQL database. A privileged attacker with the ability to write arbitrary data to Vault's configuration may modify these parameters to execute a malicious SQL command when the Vault configuration is applied. This issue is fixed in versions 1.13.1, 1.12.5, and 1.11.9. #### Severity - CVSS Score: 6.7 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-0620](https://nvd.nist.gov/vuln/detail/CVE-2023-0620) - [https://github.com/hashicorp/vault/pull/19591](https://redirect.github.com/hashicorp/vault/pull/19591) - [https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080/1](https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080/1) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) - [https://github.com/hashicorp/vault/releases/tag/v1.11.9](https://redirect.github.com/hashicorp/vault/releases/tag/v1.11.9) - [https://github.com/hashicorp/vault/releases/tag/v1.12.5](https://redirect.github.com/hashicorp/vault/releases/tag/v1.12.5) - [https://github.com/hashicorp/vault/releases/tag/v1.13.1](https://redirect.github.com/hashicorp/vault/releases/tag/v1.13.1) - [https://security.netapp.com/advisory/ntap-20230526-0008](https://security.netapp.com/advisory/ntap-20230526-0008) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-v3hp-mcj5-pg39) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

Hashicorp Vault vulnerable to Cross-site Scripting

BIT-vault-2023-2121 / CVE-2023-2121 / GHSA-gq98-53rq-qr5h / GO-2023-1849

More information #### Details Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11. #### Severity - CVSS Score: 4.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-2121](https://nvd.nist.gov/vuln/detail/CVE-2023-2121) - [https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814](https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-gq98-53rq-qr5h) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

Hashicorp Vault vulnerable to Cross-site Scripting in github.com/hashicorp/vault

BIT-vault-2023-2121 / CVE-2023-2121 / GHSA-gq98-53rq-qr5h / GO-2023-1849

More information #### Details Hashicorp Vault vulnerable to Cross-site Scripting in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-gq98-53rq-qr5h](https://redirect.github.com/advisories/GHSA-gq98-53rq-qr5h) - [https://nvd.nist.gov/vuln/detail/CVE-2023-2121](https://nvd.nist.gov/vuln/detail/CVE-2023-2121) - [https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814](https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-1849) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability

BIT-vault-2023-5077 / CVE-2023-5077 / GHSA-86c6-3g63-5w64 / GO-2023-2088

More information #### Details The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0. #### Severity - CVSS Score: 7.6 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-5077](https://nvd.nist.gov/vuln/detail/CVE-2023-5077) - [https://discuss.hashicorp.com/t/hcsec-2023-30-vault-s-google-cloud-secrets-engine-removed-existing-iam-conditions-when-creating-updating-rolesets/58654](https://discuss.hashicorp.com/t/hcsec-2023-30-vault-s-google-cloud-secrets-engine-removed-existing-iam-conditions-when-creating-updating-rolesets/58654) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-86c6-3g63-5w64) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault

BIT-vault-2023-5077 / CVE-2023-5077 / GHSA-86c6-3g63-5w64 / GO-2023-2088

More information #### Details Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-86c6-3g63-5w64](https://redirect.github.com/advisories/GHSA-86c6-3g63-5w64) - [https://nvd.nist.gov/vuln/detail/CVE-2023-5077](https://nvd.nist.gov/vuln/detail/CVE-2023-5077) - [https://discuss.hashicorp.com/t/hcsec-2023-30-vault-s-google-cloud-secrets-engine-removed-existing-iam-conditions-when-creating-updating-rolesets/58654](https://discuss.hashicorp.com/t/hcsec-2023-30-vault-s-google-cloud-secrets-engine-removed-existing-iam-conditions-when-creating-updating-rolesets/58654) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-2088) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

HashiCorp Vault and Vault Enterprise vulnerable to user enumeration

BIT-vault-2023-3462 / CVE-2023-3462 / GHSA-9v3w-w2jh-4hff / GO-2023-1986

More information #### Details HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-3462](https://nvd.nist.gov/vuln/detail/CVE-2023-3462) - [https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714](https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-9v3w-w2jh-4hff) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

HashiCorp Vault and Vault Enterprise vulnerable to user enumeration in github.com/hashicorp/vault

BIT-vault-2023-3462 / CVE-2023-3462 / GHSA-9v3w-w2jh-4hff / GO-2023-1986

More information #### Details HashiCorp Vault and Vault Enterprise vulnerable to user enumeration in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-9v3w-w2jh-4hff](https://redirect.github.com/advisories/GHSA-9v3w-w2jh-4hff) - [https://nvd.nist.gov/vuln/detail/CVE-2023-3462](https://nvd.nist.gov/vuln/detail/CVE-2023-3462) - [https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714](https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-1986) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability

BIT-vault-2023-5954 / CVE-2023-5954 / GHSA-4qhc-v8r6-8vwm / GO-2023-2329

More information #### Details HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-5954](https://nvd.nist.gov/vuln/detail/CVE-2023-5954) - [https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926](https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) - [https://security.netapp.com/advisory/ntap-20231227-0001](https://security.netapp.com/advisory/ntap-20231227-0001) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-4qhc-v8r6-8vwm) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault

BIT-vault-2023-5954 / CVE-2023-5954 / GHSA-4qhc-v8r6-8vwm / GO-2023-2329

More information #### Details HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault #### Severity Unknown #### References - [https://github.com/advisories/GHSA-4qhc-v8r6-8vwm](https://redirect.github.com/advisories/GHSA-4qhc-v8r6-8vwm) - [https://nvd.nist.gov/vuln/detail/CVE-2023-5954](https://nvd.nist.gov/vuln/detail/CVE-2023-5954) - [https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926](https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926) - [https://security.netapp.com/advisory/ntap-20231227-0001](https://security.netapp.com/advisory/ntap-20231227-0001) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-2329) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

Incorrect TLS certificate auth method in Vault

BIT-vault-2024-2048 / CVE-2024-2048 / GHSA-r3w7-mfpm-c2vw / GO-2024-2617

More information #### Details Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10. #### Severity - CVSS Score: 8.1 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-2048](https://nvd.nist.gov/vuln/detail/CVE-2024-2048) - [https://discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-auth-method-did-not-correctly-validate-non-ca-certificates/63382](https://discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-auth-method-did-not-correctly-validate-non-ca-certificates/63382) - [https://github.com/hashicorp/vault](https://redirect.github.com/hashicorp/vault) - [https://security.netapp.com/advisory/ntap-20240524-0009](https://security.netapp.com/advisory/ntap-20240524-0009) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-r3w7-mfpm-c2vw) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

Authentication bypass in github.com/hashicorp/vault

BIT-vault-2024-2048 / CVE-2024-2048 / GHSA-r3w7-mfpm-c2vw / GO-2024-2617

More information #### Details The TLS certificate authentication method incorrectly validates client certificates when configured with a non-CA certificate as a trusted certificate. When configured this way, attackers may be able to craft a certificate that can be used to bypass authentication. #### Severity Unknown #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-2048](https://nvd.nist.gov/vuln/detail/CVE-2024-2048) - [https://discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-auth-method-did-not-correctly-validate-non-ca-certificates/63382](https://discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-auth-method-did-not-correctly-validate-non-ca-certificates/63382) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2617) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)).

HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims

BIT-vault-2024-5798 / CVE-2024-5798 / GHSA-32cj-5wx4-gq8p / GO-2024-2921

More information #### Details Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected. This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9 #### Severity - CVSS Score: 2.6 / 10 (Low) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-5798](https://nvd.nist.gov/vuln/detail/CVE-2024-5798) - [https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770](https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incor
pulumi-renovate[bot] commented 5 days ago

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

The artifact failure details are included below:

File name: provider/go.sum
Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: github.com/hashicorp/terraform-provider-aws@v1.60.1-0.20220923175450-ca71523cdc36 (replaced by ../upstream): reading ../upstream/go.mod: open /tmp/renovate/repos/github/pulumi/pulumi-aws/upstream/go.mod: no such file or directory
github-actions[bot] commented 5 days ago

Does the PR have any schema changes?

Looking good! No breaking changes found. No new resources/functions.

Maintainer note: consult the runbook for dealing with any breaking changes.