Lucene search

GoogleOSV:CVE-2022-36129

HistoryJul 26, 2022 - 11:15 p.m.

CVE-2022-36129

2022-07-2623:15:08

Google

osv.dev

hashicorp vault

enterprise

api endpoint

voter status override

data loss

catastrophic failure

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

0.002

Percentile

52.9%

JSON

HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. Fixed in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1.

References

discuss.hashicorp.com

discuss.hashicorp.com/t/hcsec-2022-15-vault-enterprise-does-not-verify-existing-voter-status-when-joining-an-integrated-storage-ha-node/42420

security.netapp.com/advisory/ntap-20220901-0011/

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

6.9

Confidence

High

EPSS

0.002

Percentile

52.9%

JSON

Related for OSV:CVE-2022-36129