Vulnerability Description
In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hashicorp | Vault | >= 1.4.0, < 1.7.7 |
References
- https://discuss.hashicorp.com/t/hcsec2-21-33-vault-s-kv-secrets-engine-with-inteVendor Advisory
- https://security.gentoo.org/glsa/202207-01Third Party Advisory
- https://www.hashicorp.com/blog/category/vaultProductVendor Advisory
- https://discuss.hashicorp.com/t/hcsec2-21-33-vault-s-kv-secrets-engine-with-inteVendor Advisory
- https://security.gentoo.org/glsa/202207-01Third Party Advisory
- https://www.hashicorp.com/blog/category/vaultProductVendor Advisory
FAQ
What is CVE-2021-45042?
CVE-2021-45042 is a vulnerability with a CVSS score of 4.9 (MEDIUM). In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to...
How severe is CVE-2021-45042?
CVE-2021-45042 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-45042?
Check the references section above for vendor advisories and patch information. Affected products include: Hashicorp Vault.