CVE-2022-41316
HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault
5.3
MEDIUM
CVSS 3.1
EPSS 0.19%
Description
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
How to fix CVE-2022-41316
To remediate CVE-2022-41316, upgrade the affected package to a fixed version below.
- —upgrade to 1.9.10 or later
- —upgrade to 1.11.4 or later
- —upgrade to 1.9.10 or later
Is CVE-2022-41316 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.9.10, >= 1.10.0, < 1.10.7, >= 1.11.0, < 1.11.4
- >= 1.11.0, < 1.11.4
- from 0, < 1.9.10, >= 1.10.0, < 1.10.7, >= 1.11.0, < 1.11.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |