CVE-2021-42135

8.1HIGH

Key Information

Vendor: Hashicorp
Status: Vault
Vendor: CVE Published:; 11 October 2021

Summary

HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Oct 11, 2021
Vulnerability Reserved.
Oct 11, 2021

Collectors

NVD DatabaseMitre Database