Bulletin ID: HCSEC-2020-24
Affected Products / Versions: Vault Enterprise; fixed in 1.6.1 & 1.5.6.
Publication Date: 16 December, 2020
Vault Enterprise Sentinel EGP policies should be constrained to the namespace in which they’re applied, or to children namespaces. Incorrect parsing of the supplied path, when configuring EGP policies, allowed them to process requests in parent and sibling namespaces. This vulnerability, CVE-2020-35453, was fixed in Vault Enterprise 1.6.1 & 1.5.6.
Sentinel EGP Policies are a Vault Enterprise feature that allows Operators to configure additional access control logic tied to paths within a Vault cluster. See https://www.vaultproject.io/docs/enterprise/sentinel for more information.
An external party reported that they were able to apply Sentinel EGP Policies to a global path, allowing them to escalate part of their privileges to potentially influence operations in Vault namespaces that they shouldn’t have been able to.
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.6.1, 1.5.6, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.
This issue was identified by an external party who reported it to HashiCorp.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.