Lucene search

GoogleOSV:BIT-VAULT-2022-25244

HistoryMar 06, 2024 - 11:10 a.m.

BIT-vault-2022-25244

2024-03-0611:10:08

Google

osv.dev

vault enterprise

tokenization key

exposure

fixed

version 1.9.4

version 1.8.9

version 1.7.10

software

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

28.6%

JSON

Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with read permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10.

CPENameOperatorVersion
vaultge1.8.0
vaultlt1.8.9
vaultge1.7.0
vaultlt1.7.10
vaultlt1.9.4
vaultge1.9.0

Name	Operator	Version
vault	ge	1.8.0
vault	lt	1.8.9
vault	ge	1.7.0
vault	lt	1.7.10
vault	lt	1.9.4
vault	ge	1.9.0

References

discuss.hashicorp.com

discuss.hashicorp.com/t/hcsec-2022-08-vault-enterprise-s-tokenization-transform-configuration-endpoint-may-expose-transform-key/36599

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

28.6%

JSON

Related for OSV:BIT-VAULT-2022-25244