CVE-2022-30689 — HashiCorp Vault improper configuration of multi factor authentication in github.

Description

HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. Fixed in 1.10.3.

How to fix CVE-2022-30689

To remediate CVE-2022-30689, upgrade the affected package to a fixed version below.

—upgrade to 1.10.3 or later
—upgrade to 1.10.3 or later
—upgrade to 1.10.3 or later

Is CVE-2022-30689 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 1.10.0, < 1.10.3
>= 1.10.0, < 1.10.3
>= 1.10.0, < 1.10.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (8)

ADVISORYgithub.com/advisories/GHSA-c5wc-v287-82pc
ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-30689
WEBdiscuss.hashicorp.com
WEBgithub.com/hashicorp/vault
WEBgithub.com/hashicorp/vault/commit/15baea5fa3e71c837c33b8bcbd8f06e0fbbc110d