Headline
GHSA-rq95-xf66-j689: Improper Authentication in HashiCorp Vault
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the remove-peer
raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.
Improper Authentication in HashiCorp Vault
High severity GitHub Reviewed Published Jan 31, 2024 to the GitHub Advisory Database
Related news
Gentoo Linux Security Advisory 202207-01
Gentoo Linux Security Advisory 202207-1 - Multiple vulnerabilities have been discovered in HashiCorp Vault, the worst of which could result in denial of service. Versions less than 1.10.3 are affected.
CVE-2021-3282: HCSEC-2021-04 - Vault Enterprise’s DR Secondaries Allowed Raft Peer Removal Without Authentication
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.