Main Vulnerability Database SB2023051845

SB2023051845 - OpenShift Container Platform 4.13 update for vault

Published: May 18, 2023

Security Bulletin ID SB2023051845

Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Authentication (CVE-ID: CVE-2020-16251)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-43998)

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to templated ACL policies always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination. A remote user can trigger incorrect policy enforcement.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2023:2138