1. CVE-Search
  2. CVE-2020-10661
ID CVE-2020-10661
Summary HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.
References
Vulnerable Configurations
  • cpe:2.3:a:hashicorp:vault:1.0.2:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.0.3:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.0.3:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.0:-:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.0:-:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.0:beta1:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.0:beta1:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.0:beta2:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.0:beta2:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.1:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.1:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.2:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.2:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.3:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.3:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.4:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.4:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.5:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.5:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.0:-:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.0:-:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.0:beta1:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.0:beta1:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.0:beta2:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.0:beta2:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.0:rc1:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.0:rc1:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.1:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.1:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.2:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.2:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.3:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.3:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.4:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.4:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.3.0:-:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.3.0:-:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.3.0:beta1:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.3.0:beta1:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.3.1:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.3.1:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.3.2:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.3.2:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.3.3:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:vault:1.3.3:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:vault:0.11.0:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:0.11.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.0.2:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.0.2:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.0.3:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.0.3:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.0:-:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.0:-:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.0:beta1:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.0:beta1:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.0:beta2:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.0:beta2:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.1:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.1:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.2:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.2:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.3:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.3:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.4:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.4:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.1.5:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.1.5:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.0:-:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.0:-:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.0:beta1:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.0:beta1:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.0:beta2:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.0:beta2:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.0:rc1:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.0:rc1:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.1:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.1:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.2:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.2:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.3:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.3:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.2.4:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.2.4:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.3.0:-:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.3.0:-:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.3.0:beta1:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.3.0:beta1:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.3.1:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.3.1:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.3.2:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.3.2:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:vault:1.3.3:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:vault:1.3.3:*:*:*:enterprise:*:*:*
CVSS
Base: 5.8 (as of 25-03-2020 - 18:40)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:N
refmap via4
confirm https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020
misc https://www.hashicorp.com/blog/category/vault/
Last major update 25-03-2020 - 18:40
Published 23-03-2020 - 13:15
Last modified 25-03-2020 - 18:40
Back to Top