HashiCorp Vault Improper Privilege Management · CVE-2020-10660 · GitHub Advisory Database · GitHub

HashiCorp Vault Improper Privilege Management

Moderate severity GitHub Reviewed Published Jan 30, 2024 to the GitHub Advisory Database • Updated Jan 30, 2024

Package

github.com/hashicorp/vault/vault (Go)

Affected versions

>= 0.9.0, < 1.3.4

Patched versions

1.3.4

Description

HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.

References

Published to the GitHub Advisory Database Jan 30, 2024

Reviewed Jan 30, 2024

Last updated Jan 30, 2024

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N