CVE-2021-41802 — Vulnetix

CVE-2021-41802 PUBLISHED

HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

EPSS 0.55% · 68.3th percentile

Risk Scores

EPSS Score

0.55%

68.3th percentile

Affected Products

Vendor	Product	Versions
Bitnami	vault	0, 1.8.0
Bitnami	vault	0, 1.8.0

Timeline

Oct 8, 2021 CVE Published
Oct 9, 2021 EPSS Score
Dec 5, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Jan 30, 2022 EPSS Score
Mar 28, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 23, 2022 EPSS Score
Jul 20, 2022 EPSS Score
Sep 15, 2022 EPSS Score
Nov 10, 2022 EPSS Score
Jan 6, 2023 EPSS Score

References

https://discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalation/ url
https://security.gentoo.org/glsa/202207-01 url
https://nvd.nist.gov/vuln/detail/CVE-2021-41802 url

Open in Interactive Console →