CVE-2021-42135: 
HashiCorp Vault vulnerability analysis and mitigation

HashiCorp Vault and Vault Enterprise versions 1.8.x through 1.8.4 contain a vulnerability in the Google Cloud secrets engine where users may have more privileges than intended under specific conditions. The vulnerability (CVE-2021-42135) was discovered and reported by an external party and disclosed on October 7, 2021. The issue specifically affects the interaction between glob-related policies and the Google Cloud secrets engine (HashiCorp Advisory, NVD).

The vulnerability stems from changes in the underlying functionality of the Google Cloud secrets engine introduced in version 1.8.0. The issue specifically affects policies that use globs () in their configuration. For example, a user with read permission for the /gcp/roleset/ path may be able to issue Google Cloud service account credentials, which was not intended in the original security model. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability could allow users to gain additional privileges beyond their intended access levels when using the Google Cloud secrets engine. Specifically, users with policies containing glob (*) patterns could potentially access and issue Google Cloud service account credentials that should have been restricted (HashiCorp Advisory).

HashiCorp has updated the Vault's Google Cloud secrets engine documentation to provide additional guidance regarding roleset-related policy definition. Organizations should review their Vault policies, particularly those running Vault 1.8.0 and above, to ensure they meet requirements and adhere to the principle of least privilege. Special attention should be paid to policies with endpoints and glob usage, and consideration should be given to moving to more specific wildcards (HashiCorp Advisory).