FKIE_CVE-2022-41316

Vulnerability from fkie_nvd - Published: 2022-10-12 21:15 - Updated: 2025-05-15 15:16
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
References
cve@mitre.orghttps://discuss.hashicorp.comVendor Advisory
cve@mitre.orghttps://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483Vendor Advisory
cve@mitre.orghttps://security.netapp.com/advisory/ntap-20221201-0001/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://discuss.hashicorp.comVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20221201-0001/Third Party Advisory
Impacted products
Vendor Product Version
hashicorp vault *
hashicorp vault *
hashicorp vault *
hashicorp vault *
hashicorp vault *
hashicorp vault *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "A83AB9F6-6662-440E-81EB-3C62B75C5BB8",
              "versionEndExcluding": "1.9.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "8D2BFA44-9C1C-47E9-9A45-60AB128E17BF",
              "versionEndExcluding": "1.9.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "1D91D270-5EFB-45A6-ACEF-DDCEFDCCFEC9",
              "versionEndExcluding": "1.10.7",
              "versionStartIncluding": "1.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "3CFBD5A4-3C11-4980-A007-912156790844",
              "versionEndExcluding": "1.10.7",
              "versionStartIncluding": "1.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "45D5EC99-1403-4ACB-BD8D-A7D1ED6D31D9",
              "versionEndExcluding": "1.11.4",
              "versionStartIncluding": "1.11.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "225236BD-A091-472C-9CCD-FCD7753A4E0D",
              "versionEndExcluding": "1.11.4",
              "versionStartIncluding": "1.11.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "HashiCorp Vault and Vault Enterprise\u2019s TLS certificate auth method did not initially load the optionally configured CRL issued by the role\u0027s CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10."
    },
    {
      "lang": "es",
      "value": "El m\u00e9todo de autenticaci\u00f3n de certificados TLS de HashiCorp Vault y Vault Enterprise no cargaba inicialmente la CRL configurada opcionalmente y emitida por la CA del rol en la memoria al iniciarse, resultando en que no se comprobara la lista de revocaci\u00f3n si la CRL a\u00fan no era recuperada. Corregido en versiones 1.12.0, 1.11.4, 1.10.7 y 1.9.10"
    }
  ],
  "id": "CVE-2022-41316",
  "lastModified": "2025-05-15T15:16:03.330",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2022-10-12T21:15:09.857",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://discuss.hashicorp.com"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20221201-0001/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://discuss.hashicorp.com"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20221201-0001/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.