Miggo Logo

CVE-2020-10660: HashiCorp Vault Improper Privilege Management

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.44172%
Published
1/30/2024
Updated
9/16/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/vaultgo>= 0.9.0, < 1.3.41.3.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper group membership validation during token renewal/login. The commit diff shows critical changes in these functions where conditional checks for GroupAliases presence were removed. This matches the CVE description about failing to remove invalid group memberships. The test additions in identity_test.go validate() these scenarios, confirming these functions were central to the privilege management flaw.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*i*orp V*ult *n* V*ult *nt*rpris* v*rsions *.*.* t*rou** *.*.* m*y, un**r **rt*in *ir*umst*n**s, **v* *n *ntity's *roup m*m**rs*ip in**v*rt*ntly in*lu** *roups t** *ntity no lon**r **s p*rmissions to. *ix** in *.*.*.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *roup m*m**rs*ip `v*li**tion` *urin* tok*n r*n*w*l/lo*in. T** *ommit *i** s*ows *riti**l ***n**s in t**s* *un*tions w**r* *on*ition*l ****ks *or `*roup*li*s*s` pr*s*n** w*r* r*mov**. T*is m*t***s t** *V* **s*ri