HashiCorp Vault Authorization Header Pass-Through Vulnerability Exposing Tokens to Auth Plugins

A vulnerability exists in HashiCorp Vault's authentication method header handling. When an auth mount is set to pass through the 'Authorization' header, Vault may inadvertently forward the Vault token to the authentication plugin backend. This issue is present in Vault Community Edition versions 0.11.2 prior to 1.21.4 and Vault Enterprise versions 0.11.2 prior to 1.21.4, 1.20.9, and 1.19.15. The vulnerability arises from improper sanitization of the 'Authorization' header, allowing tokens to be exposed to auth plugins that could misuse them.

Impact

Exposing Vault tokens to authentication plugins could lead to unauthorized access or actions being performed on behalf of the token holder, depending on the permissions associated with the token.

Remediation

Users should upgrade to Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0, 1.21.5, 1.20.10, or 1.19.16. Consult the 'Upgrading Vault' guide for detailed instructions.