Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 817269 (CVE-2021-41802) - <app-admin/vault-1.8.4: user access confusion (CVE-2021-41802)
Summary: <app-admin/vault-1.8.4: user access confusion (CVE-2021-41802)
Status: CONFIRMED
Alias: CVE-2021-41802
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://discuss.hashicorp.com/t/hcsec...
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-09 19:59 UTC by John Helmert III
Modified: 2021-12-02 04:20 UTC (History)
1 user (show)

See Also:
Package list:
app-admin/vault-1.8.4 amd64
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-10-09 19:59:03 UTC
CVE-2021-41802:

HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-10-10 05:21:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=59132e7f66ea56403edd90f64989b6e0366ced49

commit 59132e7f66ea56403edd90f64989b6e0366ced49
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-10-10 05:18:26 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-10-10 05:21:02 +0000

    app-admin/vault: 1.8.4 bump
    
    Bug: https://bugs.gentoo.org/817269
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest                           | 26 +++++++++++++++--
 .../{vault-1.8.3.ebuild => vault-1.8.4.ebuild}     | 34 ++++++++++++++--------
 2 files changed, 46 insertions(+), 14 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2021-10-10 05:27:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5927a8d4398844e2b6beecff6d667b9a824bac83

commit 5927a8d4398844e2b6beecff6d667b9a824bac83
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-10-10 05:27:09 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-10-10 05:27:20 +0000

    app-admin/vault: Remove vulnerable version 1.8.2
    
    Bug: https://bugs.gentoo.org/817269
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |   16 -
 app-admin/vault/vault-1.8.2.ebuild | 1827 ------------------------------------
 2 files changed, 1843 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8da5b190763ea6b9ee15e791312c00ac92d685a

commit a8da5b190763ea6b9ee15e791312c00ac92d685a
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-10-10 05:25:44 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-10-10 05:26:10 +0000

    app-admin/vault: stable 1.8.4 for amd64, bug #817269
    
    Bug: https://bugs.gentoo.org/817269
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/vault-1.8.4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 NATTkA bot gentoo-dev 2021-12-02 04:20:38 UTC
Unable to check for sanity:

> no match for package: app-admin/vault-1.8.4