Improper Certificate Validation in Vault and Vault Enterprise - CVE-2021-27400

 

Improper Certificate Validation in Vault and Vault Enterprise - CVE-2021-27400

Published: April 21, 2021 / Updated: April 17, 2026


Vulnerability identifier: #VU126405
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-27400
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: HashiCorp
Affected software:
Vault
Vault Enterprise

Detailed vulnerability description

The vulnerability allows a remote attacker to intercept encrypted connections.

The vulnerability exists due to improper certificate validation in the Cassandra storage backend and Cassandra database secrets engine plugin when connecting to Cassandra clusters over TLS. A remote attacker can present an untrusted certificate to intercept encrypted connections.


How to mitigate CVE-2021-27400

Install security update from vendor's website.

Sources