Vulnerability Description
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hashicorp | Vault | >= 0.10.0, < 1.5.9 |
Related Weaknesses (CWE)
References
- https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leaseVendor Advisory
- https://security.gentoo.org/glsa/202207-01Third Party Advisory
- https://www.hashicorp.com/blog/category/vault/ProductVendor Advisory
- https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leaseVendor Advisory
- https://security.gentoo.org/glsa/202207-01Third Party Advisory
- https://www.hashicorp.com/blog/category/vault/ProductVendor Advisory
FAQ
What is CVE-2021-32923?
CVE-2021-32923 is a vulnerability with a CVSS score of 7.4 (HIGH). HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be in...
How severe is CVE-2021-32923?
CVE-2021-32923 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32923?
Check the references section above for vendor advisories and patch information. Affected products include: Hashicorp Vault.