Miggo Logo
Miggo Vulnerability Database
CVE-2021-38553

CVE-2021-38553:
HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-38553
GHSA ID
GHSA-23fq-q7hc-993r
EPSS Score
0.07813%
CWE
CWE-281
Published
8/30/2021
Updated
1/30/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/vaultgo>= 1.4.0, < 1.8.01.8.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper file permission handling during BoltDB initialization for Vault's Integrated Storage. The Raft backend setup in physical/raft/raft.go would be responsible for creating the vault.db file. Prior to 1.8.0, the code likely used default or overly broad file modes when calling bolt.Open(), resulting in CWE-281. The fix in 1.8.0 would have adjusted the file mode parameter to enforce stricter permissions (e.g., 0600). While exact code diffs aren't provided, the described vulnerability pattern and HashiCorp's remediation guidance strongly implicate the Raft storage initialization logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*i*orp V*ult *n* V*ult *nt*rpris* *.*.* t*rou** *.*.* initi*liz** *n un**rlyin* **t***s* *il* *sso*i*t** wit* t** Int**r*t** Stor*** ***tur* wit* *x**ssiv*ly *ro** *il*syst*m p*rmissions. *ix** in V*ult *n* V*ult *nt*rpris* *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *il* p*rmission **n*lin* *urin* `*olt**` initi*liz*tion *or `V*ult`'s Int**r*t** Stor***. T** R**t ***k*n* s*tup in `p*ysi**l/r**t/r**t.*o` woul* ** r*sponsi*l* *or *r**tin* t** `v*ult.**` *il*. Prior to *.*.*, t