CVE-2022-25243 — Vulnetix

CVE-2022-25243 PUBLISHED

"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4.

EPSS 0.15% · 35.8th percentile

Risk Scores

EPSS Score

0.15%

35.8th percentile

Affected Products

Vendor	Product	Versions
Bitnami	vault	1.8.0, 1.9.0
Bitnami	vault	1.8.0, 1.9.0

Timeline

Mar 7, 2022 CVE Published
Mar 8, 2022 EPSS Score
Apr 28, 2022 EPSS Score
Jun 19, 2022 EPSS Score
Aug 10, 2022 EPSS Score
Oct 1, 2022 EPSS Score
Nov 21, 2022 EPSS Score
Jan 11, 2023 EPSS Score
Mar 4, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Apr 24, 2023 EPSS Score
Jun 15, 2023 EPSS Score

References

https://discuss.hashicorp.com url
https://discuss.hashicorp.com/t/hcsec-2022-09-vault-pki-secrets-engine-policy-results-in-incorrect-wildcard-certificate-issuance/36600 url
https://security.gentoo.org/glsa/202207-01 url
https://nvd.nist.gov/vuln/detail/CVE-2022-25243 url

Open in Interactive Console →