Vulnerabilities > CVE-2021-45042 - Unspecified vulnerability in Hashicorp Vault
Attack vector
NETWORK Attack complexity
LOW Privileges required
HIGH Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0.
Vulnerable Configurations
References
- https://discuss.hashicorp.com/t/hcsec2-21-33-vault-s-kv-secrets-engine-with-integrated-storage-exposed-to-authenticated-denial-of-service/33157
- https://discuss.hashicorp.com/t/hcsec2-21-33-vault-s-kv-secrets-engine-with-integrated-storage-exposed-to-authenticated-denial-of-service/33157
- https://security.gentoo.org/glsa/202207-01
- https://security.gentoo.org/glsa/202207-01
- https://www.hashicorp.com/blog/category/vault
- https://www.hashicorp.com/blog/category/vault