CVE-2021-32923

HIGH7.4EPSS 0.21%

Invalid session token expiration

Published: 6/8/2021Modified: 2/4/2026

Also known as:GHSA-38j9-7pp9-2hjwBIT-vault-2021-32923CGA-v8p9-4843-p8j6GO-2022-0623

Description

HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.

Affected packages (3)

Bitnami/vault>= 0.10.0, < 1.5.9, >= 1.6.0, < 1.6.5, >= 1.7.0, < 1.7.2
Go/github.com/hashicorp/vault>= 1.7.0, < 1.7.2
Go/github.com/hashicorp/vault>= 0.10.0, < 1.5.9, >= 1.6.0, < 1.6.5, >= 1.7.0, < 1.7.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References (6)

ADVISORYhttps://github.com/advisories/GHSA-38j9-7pp9-2hjw
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-32923
WEBhttps://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603
WEBhttps://security.gentoo.org/glsa/202207-01
WEBhttps://www.hashicorp.com/blog/category/vault
WEBhttps://www.hashicorp.com/blog/category/vault/