-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
GoGo| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/hashicorp/vault | go | >= 0.6.0, < 1.21.0 | 1.21.0 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in the caching mechanism for AWS clients within the AWS authentication backend of HashiCorp Vault. The functions clientEC2 and clientIAM in builtin/credential/aws/client.go were responsible for creating and caching AWS service clients. The cache keys were constructed using only the AWS region and the STS role name. The AWS Account ID was not part of the cache key.
This becomes a security issue when Vault is configured to trust multiple AWS accounts, and these accounts use identical IAM role names. Due to the incomplete cache key, a request for a client for a specific role in one account could mistakenly receive a cached client intended for the same role name but in a different account. This could lead to an authentication bypass, allowing a user to gain unauthorized access to resources.
The patch addresses this by introducing a new clientKey struct that includes the AccountID, Region, and STSRole. The EC2ClientsMap and IAMClientsMap are updated to use this new composite key. This ensures that cached clients are unique per account, region, and role, thereby preventing cache collisions and closing the authentication bypass vulnerability. The identified vulnerable functions, aws.backend.clientEC2 and aws.backend.clientIAM, are the exact locations where the flawed caching logic existed and was subsequently fixed.
aws.backend.clientEC2builtin/credential/aws/client.go
aws.backend.clientIAMbuiltin/credential/aws/client.go
Ongoing coverage of React2Shell