Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 817269 (CVE-2021-41802)

Summary: <app-admin/vault-1.8.4: user access confusion (CVE-2021-41802)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalation
Whiteboard: B4 [glsa+]
Package list:
app-admin/vault-1.8.4 amd64
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-09 19:59:03 UTC
CVE-2021-41802:

HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-10-10 05:21:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=59132e7f66ea56403edd90f64989b6e0366ced49

commit 59132e7f66ea56403edd90f64989b6e0366ced49
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-10-10 05:18:26 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-10-10 05:21:02 +0000

    app-admin/vault: 1.8.4 bump
    
    Bug: https://bugs.gentoo.org/817269
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest                           | 26 +++++++++++++++--
 .../{vault-1.8.3.ebuild => vault-1.8.4.ebuild}     | 34 ++++++++++++++--------
 2 files changed, 46 insertions(+), 14 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2021-10-10 05:27:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5927a8d4398844e2b6beecff6d667b9a824bac83

commit 5927a8d4398844e2b6beecff6d667b9a824bac83
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-10-10 05:27:09 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-10-10 05:27:20 +0000

    app-admin/vault: Remove vulnerable version 1.8.2
    
    Bug: https://bugs.gentoo.org/817269
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |   16 -
 app-admin/vault/vault-1.8.2.ebuild | 1827 ------------------------------------
 2 files changed, 1843 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8da5b190763ea6b9ee15e791312c00ac92d685a

commit a8da5b190763ea6b9ee15e791312c00ac92d685a
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-10-10 05:25:44 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-10-10 05:26:10 +0000

    app-admin/vault: stable 1.8.4 for amd64, bug #817269
    
    Bug: https://bugs.gentoo.org/817269
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/vault-1.8.4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 NATTkA bot gentoo-dev 2021-12-02 04:20:38 UTC
Unable to check for sanity:

> no match for package: app-admin/vault-1.8.4
Comment 4 Larry the Git Cow gentoo-dev 2022-08-01 18:07:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=254c716d0dd35a6846f281fd4a3eaf970dc0bede

commit 254c716d0dd35a6846f281fd4a3eaf970dc0bede
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-07-29 21:22:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-01 18:05:08 +0000

    [ GLSA-202207-01 ] HashiCorp Vault: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/768312
    Bug: https://bugs.gentoo.org/797244
    Bug: https://bugs.gentoo.org/808093
    Bug: https://bugs.gentoo.org/817269
    Bug: https://bugs.gentoo.org/827945
    Bug: https://bugs.gentoo.org/829493
    Bug: https://bugs.gentoo.org/835070
    Bug: https://bugs.gentoo.org/845405
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202207-01.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-01 18:09:00 UTC
GLSA released, all done!