CVE-2022-36129

2022-07-2623:15:08

CWE-306

[email protected]

web.nvd.nist.gov

cve-2022-36129

hashicorp vault enterprise

integrated storage

voter status override

data loss

catastrophic failure

fixed

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS

0.002

Percentile

52.9%

JSON

HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. Fixed in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1.

Affected configurations

Nvd

Node

hashicorpvaultRange1.7.0–1.9.7

hashicorpvaultRange1.10.0–1.10.4

hashicorpvaultMatch1.11.0-

hashicorpvaultMatch1.11.0enterprise

VendorProductVersionCPE
hashicorpvault*cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*
hashicorpvault1.11.0cpe:2.3:a:hashicorp:vault:1.11.0:*:*:*:-:*:*:*
hashicorpvault1.11.0cpe:2.3:a:hashicorp:vault:1.11.0:*:*:*:enterprise:*:*:*

Vendor	Product	Version	CPE
hashicorp	vault	*	cpe:2.3:a:hashicorp:vault::::::::
hashicorp	vault	1.11.0	cpe:2.3:a:hashicorp:vault:1.11.0::::-:::
hashicorp	vault	1.11.0	cpe:2.3:a:hashicorp:vault:1.11.0::::enterprise:::