Lucene search

Redhat.comRH:CVE-2022-36129

HistoryApr 25, 2023 - 12:19 p.m.

CVE-2022-36129

2023-04-2512:19:36

redhat.com

access.redhat.com

hashicorp vault

enterprise

remote attacker

security bypass

voter status

data loss

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS

0.002

Percentile

52.9%

JSON

A flaw was found in HashiCorp Vault Enterprise which could allow a remote attacker to bypass security restrictions. This issue is caused by the failure to verify existing voter status when joining an Integrated Storage HA Node. By sending a specially crafted request, an attacker could override the voter status of a node within a Vault HA cluster, introducing the potential for future data loss or catastrophic failure.

References

bugzilla.redhat.com/show_bug.cgi?id=2189472

discuss.hashicorp.com/t/hcsec-2022-15-vault-enterprise-does-not-verify-existing-voter-status-when-joining-an-integrated-storage-ha-node/42420

nvd.nist.gov/vuln/detail/CVE-2022-36129

www.cve.org/CVERecord?id=CVE-2022-36129

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS

0.002

Percentile

52.9%

JSON

Related for RH:CVE-2022-36129