CyberSec.Space Logo
Back to CVE Browser

CVE-2020-12757

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0420%
EPSS Percentile41.71th
PublishedJun 10, 2020
Last ModifiedNov 21, 2024

Vulnerability Description

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.

Affected Platforms (CPE)

πŸ“¦
Hashicorp

Vault

>= 1.4.0 and < 1.4.2
πŸ“¦
Hashicorp

Vault

>= 1.4.0 and < 1.4.2

References & Advisories

πŸ”— https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#142-may-21st-2020
πŸ”— https://www.hashicorp.com/blog/category/vault/
πŸ”— https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#142-may-21st-2020
πŸ”— https://www.hashicorp.com/blog/category/vault/

Related Vulnerabilities

CVE-2010-444910.0

Unspecified vulnerability in the Audit Vault component in Oracle Audit Vault 10.2.3.2 allows remote attackers to affect confidenti...

CVE-2004-277710.0

GE Healthcare Centricity Image Vault 3.x has a password of (1) gemnet for the administrator account, (2) webadmin for the webadmin...

CVE-2018-98439.8

The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary ...

CVE-2018-203719.8

PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers to bypass...