-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability centers on improper privilege assignment (CWE-266) in Vault's identity endpoint handling. The advisory explicitly mentions manipulation of cached entity records via the root namespace's identity API. Functions responsible for processing entity updates and policy assignments in the identity subsystem are the most likely candidates. The handleEntityUpdate method would process write operations to the identity endpoint, while setPolicies would directly modify cached policies. The medium confidence reflects the absence of explicit patch details, but the correlation between described attack vectors and Vault's identity subsystem architecture strongly suggests these components.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/hashicorp/vault | go | < 1.18.0 | 1.18.0 |