CVE-2021-30476
CRITICALHashiCorp Terraform's Vault Provider - Auth Bypass
Title source: llmDescription
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://github.com/hashicorp/terraform-provider-vault/issues/996
Vendor Advisory x_refsource_confirm
https://discuss.hashicorp.com/t/hcsec-2021-11-terraform-s-vault-provider-did-not-correctly-configure-bound-labels-for-gcp-auth/23464/2
Scores
CVSS v3
9.8
EPSS
0.0061
EPSS Percentile
69.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (1)
hashicorp/terraform_provider
< 2.19.1
Published
Apr 22, 2021
Tracked Since
Feb 18, 2026