CVE-2021-38553

CRITICAL9.8EPSS 0.03%

HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0

Published: 8/30/2021Modified: 8/21/2024

Also known as:GHSA-23fq-q7hc-993rBIT-vault-2021-38553GO-2022-0620

Description

HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.

Affected packages (3)

Bitnami/vault>= 1.4.0, < 1.8.0
Go/github.com/hashicorp/vault>= 1.4.0, < 1.8.0
Go/github.com/hashicorp/vault>= 1.4.0, < 1.8.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://github.com/advisories/GHSA-23fq-q7hc-993r
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-38553
WEBhttps://discuss.hashicorp.com/t/hcsec-2021-20-vault-s-integrated-storage-backend-database-file-may-have-excessively-broad-permissions/28168
WEBhttps://github.com/hashicorp/vault
WEBhttps://security.gentoo.org/glsa/202207-01