CVE-2020-35453

EUVD-2020-23127
HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
Affected Products (NVD)
VendorProductVersion
hashicorpvault
1.5.0 ≤
𝑥
< 1.5.6
hashicorpvault
1.5.0 ≤
𝑥
< 1.5.6
hashicorpvault
1.6.0 ≤
𝑥
< 1.6.1
hashicorpvault
1.6.0 ≤
𝑥
< 1.6.1
𝑥
= Vulnerable software versions
References
https://discuss.hashicorp.com/t/hcsec-2020-24-vault-enterprise-s-sentinel-egp-policies-may-impact-parent-or-sibling-namespaces/18983
https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#161
https://discuss.hashicorp.com/t/hcsec-2020-24-vault-enterprise-s-sentinel-egp-policies-may-impact-parent-or-sibling-namespaces/18983
https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#161