Description
HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.
References (2)
Core 2
Core References
Release Notes x_refsource_confirm
https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#161
Vendor Advisory x_refsource_confirm
https://discuss.hashicorp.com/t/hcsec-2020-24-vault-enterprise-s-sentinel-egp-policies-may-impact-parent-or-sibling-namespaces/18983
Scores
CVSS v3
5.3
EPSS
0.0033
EPSS Percentile
55.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
Status
published
Products (1)
hashicorp/vault
1.5.0 - 1.5.6 (2 CPE variants)
Published
Dec 17, 2020
Tracked Since
Feb 18, 2026