CVE-2021-41802

2.9LOW

Key Information

Vendor: Hashicorp
Status: Vault
Vendor: CVE Published:; 8 October 2021

Summary

HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

CVSS V3.1

Score:

2.9

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Risk change from: 5.4 to: 2.9 - (LOW)
Feb 22, 2024
Vulnerability published.
Oct 8, 2021
Vulnerability Reserved.
Sep 29, 2021

Collectors

NVD DatabaseMitre Database

.