QID 980400

QID 980400: Go (go) Security Update for github.com/hashicorp/vault (GHSA-qv95-g3gm-x542)

HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other users policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

Successful exploitation of this vulnerability may affect the confidentiality, integrity, and availability of the targeted user.

  • CVSS V3 rated as Medium - 5.4 severity.
  • CVSS V2 rated as Medium - 5.5 severity.
  • Solution
    Customers are advised to refer to GHSA-qv95-g3gm-x542 for updates pertaining to this vulnerability.
    Vendor References

    CVEs related to QID 980400

    Software Advisories
    Advisory ID Software Component Link
    GHSA-qv95-g3gm-x542 github.com/hashicorp/vault URL Logo github.com/advisories/GHSA-qv95-g3gm-x542