| id: GO-2022-0578 |
| modules: |
| - module: github.com/hashicorp/vault |
| versions: |
| - introduced: 1.8.0 |
| - fixed: 1.8.5 |
| vulnerable_at: 1.8.4 |
| summary: Incorrect Privilege Assignment in HashiCorp Vault in github.com/hashicorp/vault |
| cves: |
| - CVE-2021-42135 |
| ghsas: |
| - GHSA-362v-wg5p-64w2 |
| references: |
| - advisory: https://github.com/advisories/GHSA-362v-wg5p-64w2 |
| - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-42135 |
| - web: https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards |
| - web: https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#180 |
| notes: |
| - | |
| manually changed 'last_affected: 1.8.4' to 'fixed: 1.8.5'. The fix appears to be |
| only a documentation clarification; but this is an old enough vulnerability that |
| the new documentation should have had enough time to reach users. |
| source: |
| id: GHSA-362v-wg5p-64w2 |
| created: 2024-08-20T14:05:02.493104-04:00 |
| review_status: UNREVIEWED |
| unexcluded: NOT_IMPORTABLE |
