x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9mh8-9j64-443f

[GoVulnBot]

In GitHub Security Advisory GHSA-9mh8-9j64-443f, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/hashicorp/vault	1.9.10	< 1.9.10

Cross references:

• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-362v-wg5p-64w2 #578 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-c5wc-v287-82pc #590 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-pfmw-vj74-ph8g #611 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-qv95-g3gm-x542 #618 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-23fq-q7hc-993r #620 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-38j9-7pp9-2hjw #623 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6239-28c2-9mrm, CVE-2021-38554 #632 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault/command: GHSA-25xj-89g5-fm6h #778 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9vh5-r4qw-v3vv #816 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-fp52-qw33-mfmw #825 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-7cgv-v83v-rr87 #1021 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v3hp-mcj5-pg39 #1685 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-hwc3-3qh6-r4gg #1708 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gq98-53rq-qr5h #1849 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-vq4h-9ghm-qmrr #1709

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/hashicorp/vault
      versions:
        - fixed: 1.9.10
      vulnerable_at: 1.9.9
      packages:
        - package: github.com/hashicorp/vault
    - module: github.com/hashicorp/vault
      versions:
        - introduced: 1.10.0
          fixed: 1.10.7
      vulnerable_at: 1.10.6
      packages:
        - package: github.com/hashicorp/vault
    - module: github.com/hashicorp/vault
      versions:
        - introduced: 1.11.0
          fixed: 1.11.4
      vulnerable_at: 1.11.3
      packages:
        - package: github.com/hashicorp/vault
summary: HashiCorp Vault's revocation list not respected
description: |-
    HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not
    initially load the optionally configured CRL issued by the role's CA into memory
    on startup, resulting in the revocation list not being checked if the CRL has
    not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
cves:
    - CVE-2022-41316
ghsas:
    - GHSA-9mh8-9j64-443f
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2022-41316
    - web: https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483
    - advisory: https://github.com/advisories/GHSA-9mh8-9j64-443f

[gopherbot]

Change https://go.dev/cl/508456 mentions this issue: data/excluded: batch add 14 excluded reports