CVE-2020-7220 — Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp

Description

HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.

How to fix CVE-2020-7220

To remediate CVE-2020-7220, upgrade the affected package to a fixed version below.

Bitnami/vault—upgrade to 1.3.2 or later
—upgrade to 1.3.2 or later
—upgrade to 1.3.2 or later

Is CVE-2020-7220 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 0.11.0, < 1.3.2
>= 0.11.0, < 1.3.2
>= 0.11.0, < 1.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYgithub.com/advisories/GHSA-9vh5-r4qw-v3vv
ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-7220
WEBgithub.com/hashicorp/vault/blob/master/CHANGELOG.md#132-january-22nd-2020
WEBwww.hashicorp.com/blog/category/vault
WEB