Update module github.com/hashicorp/vault to v1.18.1 [SECURITY] #4817
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.2.0
->v1.18.1
Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault
BIT-vault-2020-16250 / CVE-2020-16250 / GHSA-fp52-qw33-mfmw / GO-2022-0825
More information
Details
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Vault Authentication bypass
BIT-vault-2020-16251 / CVE-2020-16251 / GHSA-4mp7-2m29-gqxf / GO-2024-2488
More information
Details
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault
BIT-vault-2020-16250 / CVE-2020-16250 / GHSA-fp52-qw33-mfmw / GO-2022-0825
More information
Details
Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HashiCorp Vault Authentication bypass in github.com/hashicorp/vault
BIT-vault-2020-16251 / CVE-2020-16251 / GHSA-4mp7-2m29-gqxf / GO-2024-2488
More information
Details
HashiCorp Vault Authentication bypass in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault
BIT-vault-2020-7220 / CVE-2020-7220 / GHSA-9vh5-r4qw-v3vv / GO-2022-0816
More information
Details
Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Improper Resource Shutdown or Release in HashiCorp Vault
BIT-vault-2020-7220 / CVE-2020-7220 / GHSA-9vh5-r4qw-v3vv / GO-2022-0816
More information
Details
HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Vault Improper Privilege Management
BIT-vault-2020-10660 / CVE-2020-10660 / GHSA-m979-w9wj-qfj9 / GO-2024-2486
More information
Details
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault
BIT-vault-2020-10661 / CVE-2020-10661 / GHSA-j6vv-vv26-rh7c / GO-2024-2485
More information
Details
HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HashiCorp Vault Improper Privilege Management
BIT-vault-2020-10661 / CVE-2020-10661 / GHSA-j6vv-vv26-rh7c / GO-2024-2485
More information
Details
HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault
BIT-vault-2020-10660 / CVE-2020-10660 / GHSA-m979-w9wj-qfj9 / GO-2024-2486
More information
Details
HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault
BIT-vault-2020-25816 / CVE-2020-25816 / GHSA-57gg-cj55-q5g2 / GO-2024-2514
More information
Details
Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Invalid session token expiration
BIT-vault-2021-32923 / CVE-2021-32923 / GHSA-38j9-7pp9-2hjw / GO-2022-0623
More information
Details
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Invalid session token expiration in github.com/hashicorp/vault
BIT-vault-2021-32923 / CVE-2021-32923 / GHSA-38j9-7pp9-2hjw / GO-2022-0623
More information
Details
Invalid session token expiration in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault
BIT-vault-2021-38554 / CVE-2021-38554 / GHSA-6239-28c2-9mrm / GO-2022-0632
More information
Details
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault
BIT-vault-2021-38554 / CVE-2021-38554 / GHSA-6239-28c2-9mrm / GO-2022-0632
More information
Details
Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Hashicorp Vault Privilege Escalation Vulnerability in github.com/hashicorp/vault
BIT-vault-2021-41802 / CVE-2021-41802 / GHSA-qv95-g3gm-x542 / GO-2022-0618
More information
Details
Hashicorp Vault Privilege Escalation Vulnerability in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Hashicorp Vault Privilege Escalation Vulnerability
BIT-vault-2021-41802 / CVE-2021-41802 / GHSA-qv95-g3gm-x542 / GO-2022-0618
More information
Details
HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.
Severity
CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Vault Incorrect Permission Assignment for Critical Resource in github.com/hashicorp/vault
BIT-vault-2021-43998 / CVE-2021-43998 / GHSA-pfmw-vj74-ph8g / GO-2022-0611
More information
Details
HashiCorp Vault Incorrect Permission Assignment for Critical Resource in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HashiCorp Vault Incorrect Permission Assignment for Critical Resource
BIT-vault-2021-43998 / CVE-2021-43998 / GHSA-pfmw-vj74-ph8g / GO-2022-0611
More information
Details
HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Vault's revocation list not respected
BIT-vault-2022-41316 / CVE-2022-41316 / GHSA-9mh8-9j64-443f / GO-2023-1897
More information
Details
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault
BIT-vault-2022-41316 / CVE-2022-41316 / GHSA-9mh8-9j64-443f / GO-2023-1897
More information
Details
HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation in github.com/hashicorp/vault
BIT-vault-2023-24999 / CVE-2023-24999 / GHSA-wmg5-g953-qqfw / GO-2023-1900
More information
Details
Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation
BIT-vault-2023-24999 / CVE-2023-24999 / GHSA-wmg5-g953-qqfw / GO-2023-1900
More information
Details
When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the
/auth/approle/role/:role_name/secret-id-accessor/destroy
endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999, has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File in github.com/hashicorp/vault
BIT-vault-2023-0620 / CVE-2023-0620 / GHSA-v3hp-mcj5-pg39 / GO-2023-1685
More information
Details
HashiCorp Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HashiCorp Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File
BIT-vault-2023-0620 / CVE-2023-0620 / GHSA-v3hp-mcj5-pg39 / GO-2023-1685
More information
Details
HashiCorp Vault and Vault Enterprise versions 0.8.0 until 1.13.1 are vulnerable to an SQL injection attack when using the Microsoft SQL (MSSQL) Database Storage Backend. When configuring the MSSQL plugin, certain parameters are required to establish a connection (schema, database, and table) are not sanitized when passed to the user-provided MSSQL database. A privileged attacker with the ability to write arbitrary data to Vault's configuration may modify these parameters to execute a malicious SQL command when the Vault configuration is applied. This issue is fixed in versions 1.13.1, 1.12.5, and 1.11.9.
Severity
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Vault's PKI mount vulnerable to denial of service in github.com/hashicorp/vault
BIT-vault-2023-0665 / CVE-2023-0665 / GHSA-hwc3-3qh6-r4gg / GO-2023-1708
More information
Details
HashiCorp Vault's PKI mount vulnerable to denial of service in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HashiCorp Vault's implementation of Shamir's secret sharing vulnerable to cache-timing attacks
BIT-vault-2023-25000 / CVE-2023-25000 / GHSA-vq4h-9ghm-qmrr / GO-2023-1709
More information
Details
HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.
Severity
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Vault's PKI mount vulnerable to denial of service
BIT-vault-2023-0665 / CVE-2023-0665 / GHSA-hwc3-3qh6-r4gg / GO-2023-1708
More information
Details
HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Cache-timing attacks in Shamir's secret sharing in github.com/hashicorp/vault
BIT-vault-2023-25000 / CVE-2023-25000 / GHSA-vq4h-9ghm-qmrr / GO-2023-1709
More information
Details
HashiCorp Vault's implementation of Shamir's secret sharing uses precomputed table lookups, and is vulnerable to cache-timing attacks.
An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Hashicorp Vault vulnerable to Cross-site Scripting in github.com/hashicorp/vault
BIT-vault-2023-2121 / CVE-2023-2121 / GHSA-gq98-53rq-qr5h / GO-2023-1849
More information
Details
Hashicorp Vault vulnerable to Cross-site Scripting in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Hashicorp Vault vulnerable to Cross-site Scripting
BIT-vault-2023-2121 / CVE-2023-2121 / GHSA-gq98-53rq-qr5h / GO-2023-1849
More information
Details
Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability
BIT-vault-2023-5077 / CVE-2023-5077 / GHSA-86c6-3g63-5w64 / GO-2023-2088
More information
Details
The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.
Severity
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault
BIT-vault-2023-5077 / CVE-2023-5077 / GHSA-86c6-3g63-5w64 / GO-2023-2088
More information
Details
Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HashiCorp Vault and Vault Enterprise vulnerable to user enumeration
BIT-vault-2023-3462 / CVE-2023-3462 / GHSA-9v3w-w2jh-4hff / GO-2023-1986
More information
Details
HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Vault and Vault Enterprise vulnerable to user enumeration in github.com/hashicorp/vault
BIT-vault-2023-3462 / CVE-2023-3462 / GHSA-9v3w-w2jh-4hff / GO-2023-1986
More information
Details
HashiCorp Vault and Vault Enterprise vulnerable to user enumeration in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault
BIT-vault-2023-5954 / CVE-2023-5954 / GHSA-4qhc-v8r6-8vwm / GO-2023-2329
More information
Details
HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability
BIT-vault-2023-5954 / CVE-2023-5954 / GHSA-4qhc-v8r6-8vwm / GO-2023-2329
More information
Details
HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Incorrect TLS certificate auth method in Vault
BIT-vault-2024-2048 / CVE-2024-2048 / GHSA-r3w7-mfpm-c2vw / GO-2024-2617
More information
Details
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Authentication bypass in github.com/hashicorp/vault
BIT-vault-2024-2048 / CVE-2024-2048 / GHSA-r3w7-mfpm-c2vw / GO-2024-2617
More information
Details
The TLS certificate authentication method incorrectly validates client certificates when configured with a non-CA certificate as a trusted certificate. When configured this way, attackers may be able to craft a certificate that can be used to bypass authentication.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims
BIT-vault-2024-5798 / CVE-2024-5798 / GHSA-32cj-5wx4-gq8p / GO-2024-2921
More information
Details
Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected.
This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9
Severity
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N
References