HashiCorp Vault Privileged Operator Token Privilege Escalation Vulnerability

A vulnerability exists in HashiCorp Vault that allows a privileged operator with write access to the root namespace's identity endpoint to escalate token privileges to Vault's root policy. This issue affects Vault Community Edition versions 0.10.4 prior to 1.19.5 and Vault Enterprise versions 0.10.4 prior to 1.19.5, 1.18.11, and 1.16.21. The vulnerability is rooted in the normalization of policy names and inadequate input validation, enabling the operator to manipulate an entity's token privileges for the token's remaining validity period. This issue is confined to the root namespace and does not impact entities in administrative namespaces or HCP Vault Dedicated.

Impact

Exploitation of this vulnerability allows for unauthorized elevation of token privileges to the root policy, potentially granting excessive permissions to the affected user or entity.

Remediation

Users are advised to upgrade to Vault Community Edition 1.20.0 or Vault Enterprise 1.20.0, 1.19.6, 1.18.11, or 1.16.22. For general upgrade guidance, refer to the 'Upgrading Vault' documentation. Alternatively, Sentinel EGP policies can be employed to monitor and manage assigned privileges.