HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4. References: https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020 https://www.hashicorp.com/blog/category/vault/
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10660