CVE Vulnerabilities

CVE-2022-25243

Improper Certificate Validation

Published: Mar 10, 2022 | Modified: Nov 09, 2022
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
3.5 LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Ubuntu

Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Vault Hashicorp 1.8.0 (including) 1.8.9 (excluding)
Vault Hashicorp 1.9.0 (including) 1.9.4 (excluding)

Potential Mitigations

References