Improper Privilege Management
CVE-2021-42135
Summary
HashiCorp Vault and Vault Enterprise from version 1.8.0-rc1 and after may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the "/gcp/roleset/*" path may be able to issue Google Cloud service account credentials.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- LOW
- HIGH
- NONE
CWE-269 - Improper Privilege Management
An effective privilege management infrastructure provides valid users with required access and privileges across heterogeneous technology environments. An application with a faulty privilege management infrastructure allows higher than authorized privileges or enables privilege escalation. This can lead to security incidents such as system infiltration, data breach, and complete system takeover.
Advisory Timeline
- Published