Main Vulnerability Database Vulnerabilities #VU126406

Information disclosure in Vault Enterprise - CVE-2022-25244

Published: March 4, 2022 / Updated: April 17, 2026

Vulnerability identifier: #VU126406

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-25244

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: HashiCorp

Affected software:
Vault Enterprise

Detailed vulnerability description

The vulnerability allows a remote user to disclose the tokenization transform key.

The vulnerability exists due to improper access control in the tokenization key configuration endpoint when handling read requests for key configuration. A remote user can read a requested key configuration that incorrectly includes the base64-encoded key to disclose the tokenization transform key.

Exploitation requires read permissions on the authenticated endpoint. Reversing tokenized values also requires access to tokenization state values and, in the default non-exportable mode, end-user-device tokens.

How to mitigate CVE-2022-25244

Install security update from vendor's website.

Sources

https://discuss.hashicorp.com/t/hcsec-2022-08-vault-enterprise-s-tokenization-transform-configuration-endpoint-may-expose-transform-key/36599

Information disclosure in Vault Enterprise - CVE-2022-25244

Detailed vulnerability description

How to mitigate CVE-2022-25244

Sources

Please verify you're human