CVE-2022-30689

MEDIUM5.3EPSS 0.36%

HashiCorp Vault improper configuration of multi factor authentication

Published: 5/18/2022Modified: 8/21/2024

Also known as:GHSA-c5wc-v287-82pcBIT-vault-2022-30689GO-2022-0590

Description

HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. Fixed in 1.10.3.

Affected packages (3)

Bitnami/vault>= 1.10.0, < 1.10.3
Go/github.com/hashicorp/vault>= 1.10.0, < 1.10.3
Go/github.com/hashicorp/vault>= 1.10.0, < 1.10.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (8)

ADVISORYhttps://github.com/advisories/GHSA-c5wc-v287-82pc
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-30689
WEBhttps://discuss.hashicorp.com
WEBhttps://github.com/hashicorp/vault
WEBhttps://github.com/hashicorp/vault/commit/15baea5fa3e71c837c33b8bcbd8f06e0fbbc110d
WEBhttps://security.gentoo.org/glsa/202207-01
WEBhttps://security.netapp.com/advisory/ntap-20220629-0006
WEBhttps://security.netapp.com/advisory/ntap-20220629-0006/