CVE-2020-12757

Published: Jun 10, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.

Affected (2)

Products: Hashicorp: Vault

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Hashicorp Vault	From 1.4.0 to 1.4.2
Hashicorp Vault	From 1.4.0 to 1.4.2

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (4)

https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#142-may-21st-2020

Source: cve@mitre.org

Release NotesVendor Advisory

https://www.hashicorp.com/blog/category/vault/

Source: cve@mitre.org

Vendor Advisory

https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#142-may-21st-2020

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://www.hashicorp.com/blog/category/vault/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.