CVE-2022-36129

{"id": "CVE-2022-36129", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2022-07-26T23:15:08.337", "references": [{"url": "https://discuss.hashicorp.com", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://discuss.hashicorp.com/t/hcsec-2022-15-vault-enterprise-does-not-verify-existing-voter-status-when-joining-an-integrated-storage-ha-node/42420", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20220901-0011/", "source": "cve@mitre.org"}, {"url": "https://discuss.hashicorp.com", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://discuss.hashicorp.com/t/hcsec-2022-15-vault-enterprise-does-not-verify-existing-voter-status-when-joining-an-integrated-storage-ha-node/42420", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20220901-0011/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. Fixed in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1."}, {"lang": "es", "value": "Los cl\u00fasteres de HashiCorp Vault Enterprise 1.7.0 a 1.9.7, 1.10.4 y 1.11.0 que utilizan Integrated Storage exponen un punto final de API no autenticado que podr\u00eda ser abusado para anular el estado de votante de un nodo dentro de un cl\u00faster de Vault HA, introduciendo la posibilidad de una futura p\u00e9rdida de datos o un fallo catastr\u00f3fico. Corregido en Vault Enterprise 1.9.8, 1.10.5 y 1.11.1"}], "lastModified": "2024-11-21T07:12:27.497", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C61A9B98-537D-4B3E-B8DB-2B745F194602", "versionEndIncluding": "1.9.7", "versionStartIncluding": "1.7.0"}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8BF15D42-012D-42E2-94A8-41CB79AA1630", "versionEndIncluding": "1.10.4", "versionStartIncluding": "1.10.0"}, {"criteria": "cpe:2.3:a:hashicorp:vault:1.11.0:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "5374E2F4-F912-461D-A59B-1C5D474EB1FB"}, {"criteria": "cpe:2.3:a:hashicorp:vault:1.11.0:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "DD2B7644-DDE6-46EA-BF39-3DD2087AD9E4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}