CVE-2022-40186

CRITICAL

Hashicorp Vault < 1.9.9 - IDOR

Title source: rule

Description

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.

References (3)

Core 3

Core References

Vendor Advisory

https://discuss.hashicorp.com

Vendor Advisory

https://discuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550

Third Party Advisory

https://security.netapp.com/advisory/ntap-20221111-0008/

Scores

CVSS v3 9.1

EPSS 0.0034

EPSS Percentile 56.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-639

Status published

Products (2)

hashicorp/vault 1.11.0 - 1.11.3Go

hashicorp/vault 1.8.0 - 1.9.9 (2 CPE variants)

Published Sep 22, 2022

Tracked Since Feb 18, 2026