Description
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://www.hashicorp.com/blog/category/vault/
Third Party Advisory x_refsource_confirm
https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020
Scores
CVSS v3
5.3
EPSS
0.0023
EPSS Percentile
45.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-276
Status
published
Products (2)
hashicorp/vault
0.9.0 - 1.3.3 (2 CPE variants)
hashicorp/vault
0.9.0 - 1.3.4Go
Published
Mar 23, 2020
Tracked Since
Feb 18, 2026