Main Vulnerability Database Vulnerabilities #VU126405

Improper Certificate Validation in Vault and Vault Enterprise - CVE-2021-27400

Published: April 21, 2021 / Updated: April 17, 2026

Vulnerability identifier: #VU126405

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-27400

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Vault
Vault Enterprise

Software vendor:
HashiCorp

Description

The vulnerability allows a remote attacker to intercept encrypted connections.

The vulnerability exists due to improper certificate validation in the Cassandra storage backend and Cassandra database secrets engine plugin when connecting to Cassandra clusters over TLS. A remote attacker can present an untrusted certificate to intercept encrypted connections.

Remediation

Install security update from vendor's website.

External links

https://discuss.hashicorp.com/t/hcsec-2021-10-vault-s-cassandra-integrations-did-not-validate-tls-certificates/23463

Improper Certificate Validation in Vault and Vault Enterprise - CVE-2021-27400

Description

Remediation

External links

Please verify you're human