Low severityNVD Advisory· Published Oct 8, 2021· Updated Aug 4, 2024
CVE-2021-41802
CVE-2021-41802
Description
HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vaultGo | < 1.7.5 | 1.7.5 |
github.com/hashicorp/vaultGo | >= 1.8.0, < 1.8.4 | 1.8.4 |
Affected products
21- HashiCorp/Vault and Vault Enterprisedescription
- osv-coords20 versionspkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/chainguard/vault-1.14pkg:apk/chainguard/vault-1.14-compatpkg:apk/chainguard/vault-1.14-entrypointpkg:apk/chainguard/vault-1.16pkg:apk/chainguard/vault-1.16-compatpkg:apk/chainguard/vault-fips-1.14pkg:apk/chainguard/vault-fips-1.14-compatpkg:apk/chainguard/vault-fips-1.16pkg:apk/chainguard/vault-fips-1.16-compatpkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:apk/wolfi/vault-1.14pkg:apk/wolfi/vault-1.14-compatpkg:apk/wolfi/vault-1.14-entrypointpkg:bitnami/vaultpkg:golang/github.com/hashicorp/vault
< 5.6.0-r11+ 19 more
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.7.5
- (no CPE)range: < 1.7.5
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-qv95-g3gm-x542ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41802ghsaADVISORY
- security.gentoo.org/glsa/202207-01ghsavendor-advisoryx_refsource_GENTOOWEB
- discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalationghsaWEB
- discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalation/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.