hashicorp vault 不充分的会话过期机制

admin

0
文章

0
评论

2023-12-01 14:17:55 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 hashicorp vault 不充分的会话过期机制

CVE编号

CVE-2021-32923

利用情况

暂无

补丁情况

官方补丁

披露时间

2021-06-08

漏洞描述

HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-le...
https://security.gentoo.org/glsa/202207-01
https://www.hashicorp.com/blog/category/vault/

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	hashicorp	vault	*	From (including) 0.10.0	Up to (excluding) 1.5.9
	运行在以下环境
	应用	hashicorp	vault	*	From (including) 1.6.0	Up to (excluding) 1.6.5
	运行在以下环境
	应用	hashicorp	vault	*	From (including) 1.7.0	Up to (excluding) 1.7.2
	运行在以下环境
	系统	alpine_3.13	vault	*		Up to (excluding) 1.5.9-r0
	运行在以下环境
	系统	alpine_3.14	vault	*		Up to (excluding) 1.7.2-r0
	运行在以下环境
	系统	alpine_3.15	vault	*		Up to (excluding) 1.7.2-r0
	运行在以下环境
	系统	alpine_3.16	vault	*		Up to (excluding) 1.7.2-r0
	运行在以下环境
	系统	alpine_3.17	vault	*		Up to (excluding) 1.7.2-r0
	运行在以下环境
	系统	alpine_3.18	vault	*		Up to (excluding) 1.7.2-r0
	运行在以下环境
	系统	alpine_edge	vault	*		Up to (excluding) 1.7.2-r0