CVE-2020-10660: HashiCorp Vault Improper Privilege Management
(updated )
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity’s Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
References
- github.com/advisories/GHSA-m979-w9wj-qfj9
- github.com/hashicorp/vault
- github.com/hashicorp/vault/blob/master/CHANGELOG.md
- github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a
- github.com/hashicorp/vault/pull/8606
- nvd.nist.gov/vuln/detail/CVE-2020-10660
- www.hashicorp.com/blog/category/vault
Detect and mitigate CVE-2020-10660 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →