CVE-2021-42135
8.1 HIGHHashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google ...
Published: 2021-10-11 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 8.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-269
Affected products
| Vendor | Product |
|---|---|
| hashicorp | vault |
Description
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-42135
- [Vendor advisory]https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards/
- [Vendor advisory]https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards/
Related CVEs
Same vendor
- CVE-2021-41802 — HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount a... (2.9 LOW)
- CVE-2021-41865 — HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of ... (6.5 MEDIUM)
- CVE-2021-40862 — HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated part... (8.8 HIGH)
- CVE-2021-38698 — HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access... (6.5 MEDIUM)
- CVE-2021-38554 — HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser (5.3 MEDIUM)
Same CWE
- CVE-2024-38487 — api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unint... (7.0 HIGH)
- CVE-2026-12313 — Information disclosure, sandbox escape in the Security: Process Sandboxing component (4.7 MEDIUM)
- CVE-2026-12289 — Privilege escalation in the Graphics: WebRender component (8.8 HIGH)
- CVE-2026-8176 — The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Adminis... (7.5 HIGH)
- CVE-2025-9912 — Nokia SR Linux is vulnerable to a local privilege escalation vulnerability (6.3 MEDIUM)