HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NHashicorp Vault
APPHashicorp0.11.0 – 1.3.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Related vulnerabilities
CVE-2025-6000CRITICAL9.1PL ✓ten sam produkt
HashiCorp Vault: RCE przez uprzywilejowanego operatora via sys/audit
CVE-2022-40186CRITICAL9.1ten sam produkt
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity...
CVE-2022-36129CRITICAL9.1ten sam produkt
HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an...
CVE-2020-35192CRITICAL9.8ten sam produkt
The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vaul...
CVE-2020-12757CRITICAL9.8ten sam produkt
HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorre...