-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/hashicorp/vault | go | >= 1.10.0, < 1.10.3 | 1.10.3 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper initialization of MFA configurations after server restarts. The loadMFAConfigs function in core_util.go was originally a no-op (returning nil), preventing MFA rules from being reloaded. Additionally, in core.go's unseal process, setupCachedMFAResponseAuth was called before loading configurations, leading to invalid MFA state. The fix (1.10.3) introduces loadLoginMFAConfigs, renames loadMFAConfigs to loadPolicyMFAConfigs, and corrects the initialization order to ensure configurations are loaded before cache setup.