CyberSec.Space Logo
CVEブラウザに戻る

CVE-2020-12757

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0420%
EPSS Percentile41.71th
Published2020年6月10日
Last Modified2024年11月21日

Vulnerability Description

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.

Affected Platforms (CPE)

📦
Hashicorp

Vault

>= 1.4.0 and < 1.4.2
📦
Hashicorp

Vault

>= 1.4.0 and < 1.4.2

References & Advisories

🔗 https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#142-may-21st-2020
🔗 https://www.hashicorp.com/blog/category/vault/
🔗 https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#142-may-21st-2020
🔗 https://www.hashicorp.com/blog/category/vault/

関連する脆弱性情報

CVE-2010-444910.0

Unspecified vulnerability in the Audit Vault component in Oracle Audit Vault 10.2.3.2 allows remote attackers to affect confidenti...

CVE-2004-277710.0

GE Healthcare Centricity Image Vault 3.x has a password of (1) gemnet for the administrator account, (2) webadmin for the webadmin...

CVE-2018-98439.8

The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary ...

CVE-2018-203719.8

PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers to bypass...