-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from improper certificate validation when using non-CA certificates as trusted authorities. The certificate authentication flow in Vault's TLS auth method would typically involve functions that validate() client certificates against configured trusted certificates. The function 'validateClient' in the certificate auth module is a logical candidate, as it would handle client certificate validation. The vulnerability description indicates that the validation logic did not properly handle non-CA trusted certificates, suggesting a missing check for CA flag validity or improper chain verification in this function. This matches the CWE-295 pattern of improper certificate validation.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/hashicorp/vault | go | >= 1.15.0, < 1.15.5 | 1.15.5 |
| github.com/hashicorp/vault | go | < 1.14.10 | 1.14.10 |
Ongoing coverage of React2Shell