CVE-2021-38553 — HashiCorp Vault underlying database had excessively broad filesystem permissions

Description

HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.

How to fix CVE-2021-38553

To remediate CVE-2021-38553, upgrade the affected package to a fixed version below.

—upgrade to 1.8.0 or later
—upgrade to 1.8.0 or later
—upgrade to 1.8.0 or later

Is CVE-2021-38553 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 1.4.0, < 1.8.0
>= 1.4.0, < 1.8.0
>= 1.4.0, < 1.8.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYgithub.com/advisories/GHSA-23fq-q7hc-993r
ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-38553
WEBdiscuss.hashicorp.com/t/hcsec-2021-20-vault-s-integrated-storage-backend-database-file-may-have-excessively-broad-permissions/28168
WEBgithub.com/hashicorp/vault