HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Vault | Hashicorp | 0.8.3 (including) | 1.2.5 (excluding) |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/bare-metal-event-relay-operator-bundle:v4.13.0-39 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/bare-metal-event-relay-rhel8-operator:v4.13.0-42 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/baremetal-hardware-event-proxy-rhel8:v4.13.0-21 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/topology-aware-lifecycle-manager-operator-bundle:v4.13.0-70 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/topology-aware-lifecycle-manager-precache-rhel8:v4.13.0-45 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/topology-aware-lifecycle-manager-recovery-rhel8:v4.13.0-43 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/topology-aware-lifecycle-manager-rhel8-operator:v4.13.0-70 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/ztp-site-generate-rhel8:v4.13.0-45 | * |
| RHODF-4.13-RHEL-9 | RedHat | odf4/odf-rhel9-operator:v4.13.0-24 | * |