Main Vulnerability Database SB2022031039

SB2022031039 - Security restrictions bypass in HashiCorp Vault

Published: March 10, 2022 Updated: August 4, 2022

Security Bulletin ID SB2022031039

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Certificate Validation (CVE-ID: CVE-2022-25243)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to software allows the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. A remote user can bypass implemented security restriction and issue wildcard certificates.

Remediation

Install update from vendor's website.

References

https://discuss.hashicorp.com/t/hcsec-2022-09-vault-pki-secrets-engine-policy-results-in-incorrect-wildcard-certificate-issuance/36600