x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9mh8-9j64-443f #1897
Description
In GitHub Security Advisory GHSA-9mh8-9j64-443f, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| github.com/hashicorp/vault | 1.9.10 | < 1.9.10 |
Cross references:
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-362v-wg5p-64w2 #578 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-c5wc-v287-82pc #590 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-pfmw-vj74-ph8g #611 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-qv95-g3gm-x542 #618 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-23fq-q7hc-993r #620 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-38j9-7pp9-2hjw #623 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6239-28c2-9mrm, CVE-2021-38554 #632 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault/command: GHSA-25xj-89g5-fm6h #778 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9vh5-r4qw-v3vv #816 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-fp52-qw33-mfmw #825 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-7cgv-v83v-rr87 #1021 EFFECTIVELY_PRIVATE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v3hp-mcj5-pg39 #1685 EFFECTIVELY_PRIVATE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-hwc3-3qh6-r4gg #1708 EFFECTIVELY_PRIVATE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gq98-53rq-qr5h #1849 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-vq4h-9ghm-qmrr #1709
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/hashicorp/vault
versions:
- fixed: 1.9.10
vulnerable_at: 1.9.9
packages:
- package: github.com/hashicorp/vault
- module: github.com/hashicorp/vault
versions:
- introduced: 1.10.0
fixed: 1.10.7
vulnerable_at: 1.10.6
packages:
- package: github.com/hashicorp/vault
- module: github.com/hashicorp/vault
versions:
- introduced: 1.11.0
fixed: 1.11.4
vulnerable_at: 1.11.3
packages:
- package: github.com/hashicorp/vault
summary: HashiCorp Vault's revocation list not respected
description: |-
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not
initially load the optionally configured CRL issued by the role's CA into memory
on startup, resulting in the revocation list not being checked if the CRL has
not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
cves:
- CVE-2022-41316
ghsas:
- GHSA-9mh8-9j64-443f
references:
- web: https://nvd.nist.gov/vuln/detail/CVE-2022-41316
- web: https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483
- advisory: https://github.com/advisories/GHSA-9mh8-9j64-443f