Improper Authentication in HashiCorp Vault · CVE-2021-3282 · GitHub Advisory Database · GitHub

Improper Authentication in HashiCorp Vault

High severity GitHub Reviewed Published Jan 31, 2024 to the GitHub Advisory Database

Package

github.com/hashicorp/vault (Go)

Affected versions

>= 1.6.0, < 1.6.2

Patched versions

1.6.2

Description

HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the remove-peer raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.

References

Published by the National Vulnerability Database

Feb 1, 2021

Published to the GitHub Advisory Database Jan 31, 2024

Reviewed Jan 31, 2024

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N