Vulnerability Details : CVE-2022-36129
HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. Fixed in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1.
Products affected by CVE-2022-36129
- cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*
- cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*
- cpe:2.3:a:hashicorp:vault:1.11.0:*:*:*:-:*:*:*
- cpe:2.3:a:hashicorp:vault:1.11.0:*:*:*:enterprise:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-36129
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-36129
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
3.9
|
5.2
|
NIST |
CWE ids for CVE-2022-36129
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-36129
-
https://discuss.hashicorp.com/t/hcsec-2022-15-vault-enterprise-does-not-verify-existing-voter-status-when-joining-an-integrated-storage-ha-node/42420
HCSEC-2022-15 - Vault Enterprise Does Not Verify Existing Voter Status When Joining An Integrated Storage HA Node - Security - HashiCorp DiscussVendor Advisory
-
https://security.netapp.com/advisory/ntap-20220901-0011/
CVE-2022-36129 HashiCorp Vulnerability in NetApp Products | NetApp Product Security
-
https://discuss.hashicorp.com
HashiCorp DiscussVendor Advisory
Jump to