Access Control Bypass Affecting github.com/hashicorp/vault/builtin/logical/pki package, versions >=1.7.0 <1.7.1>=1.6.0 <1.6.4>=1.5.1 <1.5.8


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.08% (39th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Access Control Bypass vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMHASHICORPVAULTBUILTINLOGICALPKI-1255571
  • published26 Apr 2021
  • disclosed26 Apr 2021
  • creditUnknown

Introduced: 26 Apr 2021

CVE-2021-29653  (opens in a new tab)
CWE-284  (opens in a new tab)

How to fix?

Upgrade github.com/hashicorp/vault/builtin/logical/pki to version 1.7.1, 1.6.4, 1.5.8 or higher.

Overview

Affected versions of this package are vulnerable to Access Control Bypass. It was discovered that a change to the tidy_revoked_certs logic in the PKI Secrets Engine, released in Vault 1.5.1, had an unintended effect of removing revoked-but-unexpired certificates from Vault’s CRL. Environments that utilize this feature may have such certificates excluded from their CRL after a tidy operation and subsequently treated as valid since they are no longer in the CRL and not yet past their NotAfter value.

CVSS Base Scores

version 3.1