x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-38j9-7pp9-2hjw #623
Description
In GitHub Security Advisory GHSA-38j9-7pp9-2hjw, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| github.com/hashicorp/vault | 1.5.9 | >= 0.10.0, < 1.5.9 |
See doc/triage.md for instructions on how to triage this report.
packages:
- package: github.com/hashicorp/vault
versions:
- introduced: 0.10.0
fixed: 1.5.9
- package: github.com/hashicorp/vault
versions:
- introduced: 1.6.0
fixed: 1.6.5
- package: github.com/hashicorp/vault
versions:
- introduced: 1.7.0
fixed: 1.7.2
description: HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired
token leases and dynamic secret leases (specifically, those within 1 second of
their maximum TTL), which caused them to be incorrectly treated as non-expiring
during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.
published: 2021-06-08T18:52:05Z
last_modified: 2021-06-17T20:00:43Z
cves:
- CVE-2021-32923
ghsas:
- GHSA-38j9-7pp9-2hjw
links:
context:
- https://github.com/advisories/GHSA-38j9-7pp9-2hjw