CVE-2022-40186: 
HashiCorp Vault vulnerability analysis and mitigation

A vulnerability was discovered in HashiCorp Vault and Vault Enterprise (CVE-2022-40186) affecting versions 1.8.0 through 1.11.2. The vulnerability was identified by the Vault engineering team and disclosed on September 20, 2022. The issue affects the Identity Engine component where entity aliases mapped to a single entity share the same alias name but have different mount accessors (HashiCorp Discussion).

The vulnerability occurs when entity aliases mapped to a single entity share the same alias name but have different mount accessors, causing Vault to leak metadata between the aliases. Within a single entity, the metadata of an entity alias of an auth method may be overwritten when executing a login operation for an auth method with the same alias name. This vulnerability has received a CVSS score of 9.1 (CRITICAL) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NetApp Security).

The metadata leak may result in unexpected access if templated policies are using alias metadata for path names. When ACL policies are deployed, the identity.entity.aliases..name key may be overwritten for a different mount accessor with the same alias name, potentially granting access for the first auth method to access the second auth method's mount accessor. This could lead to unintended access of data (HashiCorp Discussion).

The vulnerability has been fixed in Vault versions 1.11.3, 1.10.6, and 1.9.9. Organizations should evaluate the risk and consider upgrading to these or newer versions. It is recommended to review existing authentication methods to ensure proper functionality and operation, particularly in cases where custom entity aliases have been explicitly set in Vault configuration and duplicate alias names may exist. Additionally, organizations should consider using Vault's feature to auto-generate entity alias names to ensure duplicates are not created in the future (HashiCorp Discussion).