HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
References
| Link | Resource |
|---|---|
| https://discuss.hashicorp.com | Vendor Advisory |
| https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483 | Vendor Advisory |
| https://security.netapp.com/advisory/ntap-20221201-0001/ | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
03 Dec 2022, 15:02
| Type | Values Removed | Values Added |
|---|---|---|
| References | (CONFIRM) https://security.netapp.com/advisory/ntap-20221201-0001/ - Third Party Advisory |
02 Dec 2022, 01:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
13 Oct 2022, 17:37
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Hashicorp vault
Hashicorp |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
| CPE | cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* |
|
| References | (MISC) https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483 - Vendor Advisory | |
| References | (MISC) https://discuss.hashicorp.com - Vendor Advisory | |
| CWE | CWE-295 |
12 Oct 2022, 21:44
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2022-10-12 21:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-41316
Mitre link : CVE-2022-41316
CVE.ORG link : CVE-2022-41316
JSON object : View
Products Affected
hashicorp
- vault
CWE
CWE-295
Improper Certificate Validation