Summary
HashiCorp recently published eight security bulletins for issues impacting Vault Community Edition and Vault Enterprise, all of which have been addressed in the latest Vault versions: 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
Background
Earlier this year, a security researcher reported multiple vulnerabilities impacting Vault and Vault Enterprise. These vulnerabilities range in severity and exploitability, but generally focus on core authentication flows. The vulnerabilities are:
In addition, HashiCorp has published a bulletin for a vulnerability that has been disclosed but is not yet remediated. While we believe this issue presents a low-risk, this bulletin includes details and guidance for operators who wish to mitigate the vulnerability until a fix is available:
Remediation
Customers should evaluate the risk associated with each issue and consider upgrading to Vault Community Edition 1.20.2 or Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24. Please refer to Upgrading Vault for general guidance.