Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-7j85-mwfj-2gr8] An unhandled error in Vault Enterprise's namespace... #4189

Open
wants to merge 1 commit into
base: anonymous4ACL24/advisory-improvement-4189
Choose a base branch
from
Open

[GHSA-7j85-mwfj-2gr8] An unhandled error in Vault Enterprise's namespace... #4189

wants to merge 1 commit into from

Conversation

anonymous4ACL24
Copy link

Updates

  • Affected products
  • Severity
  • Summary

Comments
In reference https://discuss.hashicorp.com/t/hcsec-2023-23-vault-enterprise-namespace-creation-may-lead-to-denial-of-service/56617, it corresponds to the go developer 'HashiCorp' and affects the package Vault.

@github-actions github-actions bot changed the base branch from main to anonymous4ACL24/advisory-improvement-4189 March 30, 2024 13:17
@darakian
Copy link
Contributor

darakian commented Apr 1, 2024

Based on the description it would seem this only applies to the enterprise version of vault. Do you have any evidence to suggest otherwise?

@anonymous4ACL24
Copy link
Author

Based on the description it would seem this only applies to the enterprise version of vault. Do you have any evidence to suggest otherwise?

Similar to my response in https://github.com/github/advisory-database/pull/4187, I think this vulnerability also applies to the open-source versions of Vault.
For example, in the released version 1.14.1 (one of the patch version): https://github.com/hashicorp/vault/releases/tag/v1.14.1, it also mentions: which will have access to some system backend paths that were previously only accessible in the root namespace, corresponding to the details (This operation is generally reserved for privileged operators with read/update permissions to the sys/namespaces path.) of this vulnerability in https://discuss.hashicorp.com/t/hcsec-2023-23-vault-enterprise-namespace-creation-may-lead-to-denial-of-service/56617.
.

@anonymous4ACL24 anonymous4ACL24 mentioned this pull request Apr 2, 2024
Open
@anonymous4ACL24
Copy link
Author

Hi, could you take a look at my preceding response?

@darakian
Copy link
Contributor

Do you have evidence you can present that shows the code change applies to the open source version as well? The two projects may share a repo but not all code changes are relevant to all products which emerge from the repo.

This was referenced Apr 17, 2024
Open
Open
@taladrane
Copy link
Collaborator

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@taladrane taladrane added the Stale label May 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@anonymous4ACL24 @darakian @taladrane