CVE-2022-40186

Description

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.

How to fix CVE-2022-40186

To remediate CVE-2022-40186, upgrade the affected package to a fixed version below.

• —upgrade to 1.9.9 or later
• —upgrade to 1.11.3 or later
• —upgrade to 1.9.9 or later

Is CVE-2022-40186 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• >= 1.8.0, < 1.9.9, >= 1.10.0, < 1.10.6, >= 1.11.0, < 1.11.3
• >= 1.11.0, < 1.11.3
• >= 1.8.0, < 1.9.9, >= 1.10.0, < 1.10.6, >= 1.11.0, < 1.11.3

CVSS scores

References (7)

• ADVISORYgithub.com/advisories/GHSA-7cgv-v83v-rr87
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-40186
• WEBdiscuss.hashicorp.com
• WEBdiscuss.hashicorp.com/t/hcsec-2022-18-vault-entity-alias-metadata-may-leak-between-aliases-with-the-same-name-assigned-to-the-same-entity/44550