Bug 2028193 (CVE-2021-43998) - CVE-2021-43998 vault: incorrect policy enforcement
Summary: CVE-2021-43998 vault: incorrect policy enforcement
Status: NEW
Alias: CVE-2021-43998
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2028478 2126650
Blocks: 2028194
TreeView+ depends on / blocked
Reported: 2021-12-01 17:04 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-09-14 08:02 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-12-01 17:04:17 UTC
HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.


Note You need to log in before you can comment on or make changes to this bug.