Bug 1995209 (CVE-2021-38553)

Summary: CVE-2021-38553 vault: Underlying database file with excessively broad filesystem permissions
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: amctagga, etamir, gghezzo, gparvin, hchiramm, jarrpa, jburrell, jcantril, jwendell, kconner, madam, muagarwa, nbecker, rcernich, sostapov, stcannon, tnielsen, twalsh
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Vault package. Affected versions of the HashiCorp Vault initialized an underlying database file associated with the Integrated Storage feature, which has excessively broad filesystem permissions.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-27 15:34:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2169368    
Bug Blocks: 1995210    

Description Pedro Sampaio 2021-08-18 16:09:36 UTC 
HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.

References:

https://discuss.hashicorp.com/t/hcsec-2021-20-vault-s-integrated-storage-backend-database-file-may-have-excessively-broad-permissions/28168
Comment 1 Product Security DevOps Team 2021-08-27 15:34:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-38553