High severityNVD Advisory· Published Jun 3, 2021· Updated Aug 3, 2024
CVE-2021-32923
CVE-2021-32923
Description
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vaultGo | >= 1.7.0, < 1.7.2 | 1.7.2 |
github.com/hashicorp/vaultGo | >= 1.6.0, < 1.6.5 | 1.6.5 |
github.com/hashicorp/vaultGo | >= 0.10.0, < 1.5.9 | 1.5.9 |
Affected products
8- osv-coords8 versionspkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:bitnami/vaultpkg:golang/github.com/hashicorp/vault
< 5.6.0-r11+ 7 more
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: >= 0.10.0, < 1.5.9
- (no CPE)range: >= 1.7.0, < 1.7.2
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-38j9-7pp9-2hjwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32923ghsaADVISORY
- security.gentoo.org/glsa/202207-01ghsavendor-advisoryx_refsource_GENTOOWEB
- discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603ghsax_refsource_MISCWEB
- www.hashicorp.com/blog/category/vaultghsaWEB
- www.hashicorp.com/blog/category/vault/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.