CVE-2021-29653

Description

HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.

How to fix CVE-2021-29653

To remediate CVE-2021-29653, upgrade the affected package to a fixed version below.

Bitnami/vault—upgrade to 1.5.8 or later

Is CVE-2021-29653 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.5.1, < 1.5.8, >= 1.6.0, < 1.6.4, >= 1.7.0, < 1.7.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (2)

WEBdiscuss.hashicorp.com/t/hcsec-2021-09-vault-s-pki-engine-crl-may-exclude-revoked-but-unexpired-certificates-after-tidy/23461/2
WEBnvd.nist.gov/vuln/detail/CVE-2021-29653