CVE-2020-35453

EPSS 0.33%
Published 17.12.2020 05:15:10
Last modified 21.11.2024 05:27:18
Source cve@mitre.org
Teams watchlist Login
Open Login

HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.

Affected products Warnungen 0 Metrics 3 CWE 0 References 5

Data is provided by the National Vulnerability Database (NVD)

Hashicorp ≫ Vault SwEdition- Version >= 1.5.0 < 1.5.6

Hashicorp ≫ Vault SwEditionenterprise Version >= 1.5.0 < 1.5.6

Hashicorp ≫ Vault SwEdition- Version >= 1.6.0 < 1.6.1

Hashicorp ≫ Vault SwEditionenterprise Version >= 1.6.0 < 1.6.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.33%	0.554

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#161

Release Notes

https://discuss.hashicorp.com/t/hcsec-2020-24-vault-enterprise-s-sentinel-egp-policies-may-impact-parent-or-sibling-namespaces/18983

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-35453

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-35453

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-35453

EUVD