CVE-2020-10660: HashiCorp Vault Improper Privilege Management

January 30, 2024 (updated September 16, 2024)

HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity’s Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.

References

github.com/advisories/GHSA-m979-w9wj-qfj9
github.com/hashicorp/vault
github.com/hashicorp/vault/blob/master/CHANGELOG.md
github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a
github.com/hashicorp/vault/pull/8606
nvd.nist.gov/vuln/detail/CVE-2020-10660
www.hashicorp.com/blog/category/vault

Detect and mitigate CVE-2020-10660 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →