Base Score

HIGH7.4

CVE-2021-32923

HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.

VectorNETWORK

Published Bycve@mitre.org

Published DateJun 03, 2021, 11:15

Affected Versions(3)

github.com/hashicorp/vault(Go)

Introduced1.7.0

Fixed1.7.2

LimitN/A

github.com/hashicorp/vault(Go)

Introduced1.6.0

Fixed1.6.5

LimitN/A

github.com/hashicorp/vault(Go)

Introduced0.10.0

Fixed1.5.9

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/hashicorp/vault(Go)	1.7.0	1.7.2	N/A
github.com/hashicorp/vault(Go)	1.6.0	1.6.5	N/A
github.com/hashicorp/vault(Go)	0.10.0	1.5.9	N/A

Weakness Type (CWE):CWE-613

CVSS Metrics

Base Score

7.4

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE

References

Base Score

HIGH7.4

Weakness Type (CWE):CWE-613

CVSS Metrics

Base Score

7.4

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE