Description
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.
References (3)
Core 3
Core References
Product, Vendor Advisory x_refsource_misc
https://www.hashicorp.com/blog/category/vault/
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/159479/Hashicorp-Vault-GCP-IAM-Integration-Authentication-Bypass.html
Scores
CVSS v3
8.2
EPSS
0.0092
EPSS Percentile
76.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Details
CWE
CWE-287
Status
published
Products (2)
hashicorp/vault
0.8.3 - 1.2.5 (2 CPE variants)
hashicorp/vault
0.8.3 - 1.2.5Go
Published
Aug 26, 2020
Tracked Since
Feb 18, 2026