Vulnerability Description
"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hashicorp | Vault | >= 1.8.0, < 1.8.9 |
Related Weaknesses (CWE)
References
- https://discuss.hashicorp.comVendor Advisory
- https://discuss.hashicorp.com/t/hcsec-2022-09-vault-pki-secrets-engine-policy-reMitigationVendor Advisory
- https://security.gentoo.org/glsa/202207-01Third Party Advisory
- https://discuss.hashicorp.comVendor Advisory
- https://discuss.hashicorp.com/t/hcsec-2022-09-vault-pki-secrets-engine-policy-reMitigationVendor Advisory
- https://security.gentoo.org/glsa/202207-01Third Party Advisory
FAQ
What is CVE-2022-25243?
CVE-2022-25243 is a vulnerability with a CVSS score of 6.5 (MEDIUM). "Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even i...
How severe is CVE-2022-25243?
CVE-2022-25243 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25243?
Check the references section above for vendor advisories and patch information. Affected products include: Hashicorp Vault.