Critical severityNVD Advisory· Published Jun 10, 2020· Updated Aug 4, 2024
CVE-2020-12757
CVE-2020-12757
Description
HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vault-plugin-secrets-gcpGo | < 0.6.2 | 0.6.2 |
Affected products
3- HashiCorp/Vaultdescription
- osv-coords2 versions
>= 1.4.0, < 1.4.2+ 1 more
- (no CPE)range: >= 1.4.0, < 1.4.2
- (no CPE)range: < 0.6.2
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-75pc-qvwc-jf3gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-12757ghsaADVISORY
- github.com/hashicorp/vault-plugin-secrets-gcp/commit/e43d20870c50f7428dead1411debcec075b35fb4ghsaWEB
- github.com/hashicorp/vault-plugin-secrets-gcp/pull/85ghsaWEB
- github.com/hashicorp/vault/blob/master/CHANGELOG.mdghsaWEB
- github.com/hashicorp/vault/blob/master/CHANGELOG.mdghsax_refsource_MISCWEB
- www.hashicorp.com/blog/category/vaultghsaWEB
- www.hashicorp.com/blog/category/vault/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.