CVE-2022-25243: 
HashiCorp Vault vulnerability analysis and mitigation

Vault and Vault Enterprise versions 1.8.0 through 1.8.8, and 1.9.3 contained a vulnerability (CVE-2022-25243) that allowed the PKI secrets engine to issue wildcard certificates to authorized users for a specified domain, even when the PKI role policy attribute allow_subdomains was set to false. The vulnerability was discovered in March 2022 and was fixed in Vault Enterprise versions 1.8.9 and 1.9.4 (HashiCorp Advisory).

The vulnerability occurred when allow_bare_domains was set to true and at least one domain without globs (e.g., example.com or subdomain.example.com) was present in the allowed_domains field of a PKI issuance role. One mitigating factor was that the allow_bare_domains attribute is false by default and must be explicitly enabled by an operator. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability allowed authorized users to obtain wildcard certificates for domains even when explicitly forbidden by policy settings, potentially undermining the PKI role policy controls intended to restrict certificate issuance scope (HashiCorp Advisory).

Users should upgrade to Vault Enterprise version 1.8.9, 1.9.4, or newer. For those unable to upgrade immediately, one partial mitigation is that the allow_bare_domains attribute is false by default and must be explicitly enabled (HashiCorp Advisory).