Skip to main content

Improper Privilege Management

CVE-2021-42135

Severity High
Score 8.1/10

Summary

HashiCorp Vault and Vault Enterprise from version 1.8.0-rc1 and after may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the "/gcp/roleset/*" path may be able to issue Google Cloud service account credentials.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • LOW
  • HIGH
  • NONE

CWE-269 - Improper Privilege Management

An effective privilege management infrastructure provides valid users with required access and privileges across heterogeneous technology environments. An application with a faulty privilege management infrastructure allows higher than authorized privileges or enables privilege escalation. This can lead to security incidents such as system infiltration, data breach, and complete system takeover.

Advisory Timeline

  • Published