Unexpected Privilege Escalation in HashiCorp Vault with Google Cloud Secrets
CVE-2021-42135

8.1HIGH

Key Information:

Vendor: Hashicorp
Status: Vault
Vendor: CVE Published:; 11 October 2021

What is CVE-2021-42135?

HashiCorp Vault versions 1.8.0 through 1.8.4 may exhibit unexpected behavior due to a conflict between glob-related policies and the Google Cloud secrets engine. This interaction can lead to situations where users gain more privileges than intended. For instance, a user with read access to the /gcp/roleset/* path might be able to issue Google Cloud service account credentials, creating security risks. Proper policy management is crucial to prevent unauthorized access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-goog...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 11, 2021
Vulnerability Reserved
Oct 11, 2021

JSON

Hashicorp

What is CVE-2021-42135?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.