CVE-2022-41316

MEDIUM5.3EPSS 0.19%

HashiCorp Vault's revocation list not respected

發布日:2023/7/6修改日:2026/2/4

也稱為:GHSA-9mh8-9j64-443fBIT-vault-2022-41316CGA-48rq-33h6-6xw7GO-2023-1897

描述

HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.

受影響套件(3)

Bitnami/vaultfrom 0, < 1.9.10, >= 1.10.0, < 1.10.7, >= 1.11.0, < 1.11.4
Go/github.com/hashicorp/vault>= 1.11.0, < 1.11.4
Go/github.com/hashicorp/vaultfrom 0, < 1.9.10, >= 1.10.0, < 1.10.7, >= 1.11.0, < 1.11.4

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

參考連結(7)

ADVISORYhttps://github.com/advisories/GHSA-9mh8-9j64-443f
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-41316
PATCHhttps://github.com/hashicorp/vault
WEBhttps://discuss.hashicorp.com
WEBhttps://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483
WEBhttps://security.netapp.com/advisory/ntap-20221201-0001
WEBhttps://security.netapp.com/advisory/ntap-20221201-0001/