Moderate severityNVD Advisory· Published Oct 12, 2022· Updated May 15, 2025
CVE-2022-41316
CVE-2022-41316
Description
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vaultGo | >= 1.11.0, < 1.11.4 | 1.11.4 |
github.com/hashicorp/vaultGo | >= 1.10.0, < 1.10.7 | 1.10.7 |
github.com/hashicorp/vaultGo | < 1.9.10 | 1.9.10 |
Affected products
21- osv-coords20 versionspkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/chainguard/vault-1.14pkg:apk/chainguard/vault-1.14-compatpkg:apk/chainguard/vault-1.14-entrypointpkg:apk/chainguard/vault-1.16pkg:apk/chainguard/vault-1.16-compatpkg:apk/chainguard/vault-fips-1.14pkg:apk/chainguard/vault-fips-1.14-compatpkg:apk/chainguard/vault-fips-1.16pkg:apk/chainguard/vault-fips-1.16-compatpkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:apk/wolfi/vault-1.14pkg:apk/wolfi/vault-1.14-compatpkg:apk/wolfi/vault-1.14-entrypointpkg:bitnami/vaultpkg:golang/github.com/hashicorp/vault
< 5.6.0-r11+ 19 more
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.9.10
- (no CPE)range: >= 1.11.0, < 1.11.4
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-9mh8-9j64-443fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41316ghsaADVISORY
- discuss.hashicorp.comghsaWEB
- discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483ghsaWEB
- security.netapp.com/advisory/ntap-20221201-0001ghsaWEB
- security.netapp.com/advisory/ntap-20221201-0001/mitre
News mentions
0No linked articles in our index yet.