CVE-2023-3775: 
HashiCorp Vault vulnerability analysis and mitigation

A vulnerability in HashiCorp Vault Enterprise (CVE-2023-3775) was discovered where a Sentinel Role Governing Policy (RGP) created to restrict access to resources in one namespace could be applied to requests in another non-descendant namespace. The vulnerability has affected Vault Enterprise since version 0.11.0 and was fixed in versions 1.15.0, 1.14.4, and 1.13.8. The issue was disclosed on September 28, 2023 (HashiCorp Advisory).

The vulnerability specifically affects Sentinel Role Governing Policies (RGPs) in Vault Enterprise's namespace functionality. Namespaces are designed to be isolated environments within Vault, containing secret engines, auth methods, and policies. While namespaces can have parent/child relationships for policy and identity sharing, this vulnerability allowed RGPs from one namespace to affect resources in non-child namespaces. The issue received a CVSS v3.1 base score of 4.9 (Medium) from NVD and 4.2 (Medium) from HashiCorp (NVD Database).

The vulnerability's primary impact is potential denial of service to resources in non-descendant namespaces. Since RGPs can only be used to restrict or deny access to resources and cannot grant additional access, the vulnerability's scope is limited to denial of service scenarios. The issue affects only RGPs, while Sentinel Endpoint Governing Policies (EGPs) and Vault's ACLs remain unaffected (HashiCorp Advisory).

HashiCorp has released fixed versions of Vault Enterprise: 1.15.0, 1.14.4, and 1.13.8. Organizations are recommended to evaluate their risk exposure and upgrade to one of these patched versions. The upgrade process should follow HashiCorp's general guidance and version-specific upgrade notes (HashiCorp Advisory).

The vulnerability was responsibly disclosed by Marc Billow of Indeed to HashiCorp through their security reporting process, demonstrating effective coordination between security researchers and the vendor (HashiCorp Advisory).