CVE-2021-38553
4.4 MEDIUMHashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage f...
Published: 2021-08-13 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 4.4 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-281
Affected products
| Vendor | Product |
|---|---|
| hashicorp | vault |
Description
HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-38553
- [Vendor advisory]https://discuss.hashicorp.com/t/hcsec-2021-20-vault-s-integrated-storage-backend-database-file-may-have-excessively-broad-permissions/28168
- [Other]https://security.gentoo.org/glsa/202207-01
- [Vendor advisory]https://discuss.hashicorp.com/t/hcsec-2021-20-vault-s-integrated-storage-backend-database-file-may-have-excessively-broad-permissions/28168
- [Other]https://security.gentoo.org/glsa/202207-01
Related CVEs
Same vendor
- CVE-2021-42135 — HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google ... (8.1 HIGH)
- CVE-2021-41802 — HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount a... (2.9 LOW)
- CVE-2021-41865 — HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of ... (6.5 MEDIUM)
- CVE-2021-40862 — HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated part... (8.8 HIGH)
- CVE-2021-38698 — HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access... (6.5 MEDIUM)
Same CWE
- CVE-2026-40767 — Unauthenticated Broken Access Control in wpForo Forum < 3.0.2 versions (7.5 HIGH)
- CVE-2024-47270 — Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 an... (2.7 LOW)
- CVE-2026-44832 — Snipe-IT is an IT asset/license management system (8.8 HIGH)
- CVE-2026-24194 — NVIDIA Display Driver for Linux contains a vulnerability in a kernel mode layer handler, where a user could cause improper permission han... (7.8 HIGH)
- CVE-2026-34744 — Mantis Bug Tracker (MantisBT) is an open source issue tracker