Vulnerabilities > CVE-2021-32923 - Insufficient Session Expiration vulnerability in Hashicorp Vault
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
NONE Summary
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603
- https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603
- https://security.gentoo.org/glsa/202207-01
- https://security.gentoo.org/glsa/202207-01
- https://www.hashicorp.com/blog/category/vault/
- https://www.hashicorp.com/blog/category/vault/