---

Log

AVG-2029 edited at 03 Jun 2021 12:30:42
Severity	- Unknown + Medium

CVE-2021-32923 edited at 03 Jun 2021 12:30:42
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Authentication bypass
Description	+ HashiCorp Vault before version 1.7.2 allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use.
References	+ https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603 + https://github.com/hashicorp/vault/commit/a671890555c78de61cef44ec1a47fe114ee766ee
Notes

AVG-2029 created at 03 Jun 2021 12:26:34
Packages	+ vault
Issues	+ CVE-2021-32923
Status	+ Fixed
Severity	+ Unknown
Affected	+ 1.7.1-2
Fixed	+ 1.7.2-1
Ticket
Advisory qualified	+ Yes
References
Notes

CVE-2021-32923 created at 03 Jun 2021 12:26:34

CVE-2021-33560 edited at 03 Jun 2021 09:03:05
Description	- A weakness has been found in the generation of ephemeral keys in the ElGamal encryption of libgcrypt before version 1.8.8 when the recipient's key is not generated using the same or a compatible implementation. + A weakness has been found in the generation of ephemeral keys in the ElGamal encryption of libgcrypt when the recipient's key is not generated using the same or a compatible implementation.
References	https://dev.gnupg.org/T5328 - https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=707c3c5c511ee70ad0e39ec613471f665305fbea + https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=3462280f2e23e16adf3ed5176e0f2413d8861320

CVE-2021-33560 edited at 03 Jun 2021 09:02:19
Description	- A weakness has been found in the generation of ephemeral keys in the ElGamal encryption of libgcrypt when the recipient's key is not generated using the same or a compatible implementation. + A weakness has been found in the generation of ephemeral keys in the ElGamal encryption of libgcrypt before version 1.8.8 when the recipient's key is not generated using the same or a compatible implementation.
References	https://dev.gnupg.org/T5328 - https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=3462280f2e23e16adf3ed5176e0f2413d8861320 + https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=707c3c5c511ee70ad0e39ec613471f665305fbea

ASA-202106-19 edited at 03 Jun 2021 08:47:47

ASA-202106-18 edited at 03 Jun 2021 08:47:43

ASA-202106-17 edited at 03 Jun 2021 08:47:40

ASA-202106-16 edited at 03 Jun 2021 08:47:36

ASA-202106-15 edited at 03 Jun 2021 08:47:33

ASA-202106-14 edited at 03 Jun 2021 08:47:29