CVE-2021-43998: 
HashiCorp Vault vulnerability analysis and mitigation

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.7.5 and 1.8.4 contained a vulnerability (CVE-2021-43998) where templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination. This issue was discovered and reported by Christian Baumann and Nick Triller, and was fixed in versions 1.7.6, 1.8.5, and 1.9.0 (HashiCorp Advisory).

The vulnerability affects Vault's identity secrets engine, which manages identity within Vault. The issue occurs when a single entity has multiple entity aliases for the same entity and mount combination while using templated ACL policies. In such cases, the permissions of the first-created entity alias continue to be enforced and are also applied to newly-created aliases, potentially resulting in incorrect policy enforcement. The vulnerability has a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability could lead to incorrect policy enforcement in Vault deployments where multiple entity aliases exist for the same entity and mount combination. This might result in unintended access permissions being granted to users. However, HashiCorp's internal assessment indicated that exploitation requires high privileges, specifically write permissions to the identity/entity-alias endpoint, which is typically restricted to privileged Vault operators (HashiCorp Advisory).

The vulnerability has been fixed in Vault and Vault Enterprise versions 1.7.6, 1.8.5, and 1.9.0. The fix prevents the creation of new entity aliases if one already exists for a given entity and mount combination. Additionally, Vault now provides a warning to operators on startup if multiple entity aliases exist for the same entity and mount combination. Users are advised to upgrade to these patched versions (HashiCorp Advisory, Gentoo Advisory).