The latest Vault(v1.9.3) binary is built with Go v1.17.5 which has these high severity CVEs:
https://nvd.nist.gov/vuln/detail/CVE-2022-23773
https://nvd.nist.gov/vuln/detail/CVE-2022-23806
https://nvd.nist.gov/vuln/detail/CVE-2022-23772
and these CVEs have been fixed in Go v1.17.7, is there a plan to ship new binary that built using Go v1.17.7 for Vault? Thanks!
From the looks of it the new version is already available (backported) and also included with upcoming v1.10.0 release.
As you can see the commit for this is already on the main branch and is backported to 1.9.x
When you download the binary itself it might not have been updated, this might take some time. But building it from source or getting the Docker image should contain the newer version.
Thanks for the information! I will keep an eye on the binary for v1.9.x, once it updated I will rebuild our docker image accordingly, thank you!