CVE-2021-27668: 
HashiCorp Vault vulnerability analysis and mitigation

HashiCorp Vault Enterprise versions 0.9.2 through 1.6.2 contained a vulnerability (CVE-2021-27668) that allowed unauthorized access to license metadata from Vault DR (Disaster Recovery) secondaries. The vulnerability was discovered and reported by an external party to HashiCorp and was fixed in version 1.6.3 (HashiCorp Discussion).

The vulnerability existed in the /sys/license API endpoint, which was designed for access to and configuration of license information. The flaw allowed unauthenticated users to read licensing metadata from Vault Enterprise DR secondary nodes. While attackers couldn't modify licensing configuration or access the license itself, they could access licensing metadata without proper authentication (HashiCorp Discussion).

The vulnerability allowed unauthorized access to sensitive information through improper authentication mechanisms. While the impact was limited to reading license metadata and did not allow modification of licensing configuration or access to the license itself, it represented a security concern for organizations using Vault Enterprise DR secondaries (Red Hat CVE).

The recommended mitigation is to upgrade to HashiCorp Vault Enterprise version 1.6.3 or newer. Organizations should evaluate the risk associated with this issue and follow the general guidance and version-specific upgrade notes provided in the Vault upgrading documentation (HashiCorp Discussion).