Main Vulnerability Database Vulnerabilities #VU126404

Improper Certificate Validation in Vault and Vault Enterprise - CVE-2021-29653

Published: April 21, 2021 / Updated: April 17, 2026

Vulnerability identifier: #VU126404

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-29653

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Vault
Vault Enterprise

Software vendor:
HashiCorp

Description

The vulnerability allows a remote user to bypass certificate revocation checks.

The vulnerability exists due to improper certificate revocation handling in the PKI Secrets Engine CRL generation logic when processing a tidy operation with tidy_revoked_certs enabled. A remote user can use a revoked but unexpired certificate to bypass certificate revocation checks.

Exploitation requires use of the PKI revocation mechanism and enforcement of the generated certificate revocation list, and only occurs when the tidy_revoked_certs setting is enabled.

Remediation

Install security update from vendor's website.

External links

https://discuss.hashicorp.com/t/hcsec-2021-09-vault-s-pki-engine-crl-may-exclude-revoked-but-unexpired-certificates-after-tidy/23461

Improper Certificate Validation in Vault and Vault Enterprise - CVE-2021-29653

Description

Remediation

External links

Please verify you're human