HashiCorp Vault ACME Validation Vulnerability Leading to Server-Side Request Forgery

A server-side request forgery vulnerability has been identified in HashiCorp Vault's PKI engine, specifically within the ACME validation process. This issue arises because the validation did not properly reject local targets when issuing http-01 and tls-alpn-01 challenges. As a result, requests could be inadvertently sent to local network targets, potentially leading to unauthorized information disclosure. This vulnerability affects Vault Community Edition versions 1.14.0 through 1.21.4, as well as Vault Enterprise versions 1.14.0 through 1.21.4, 1.20.9, and 1.19.15. The vulnerability has been fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Impact

Exploitation of this vulnerability could result in server-side request forgery, allowing an attacker to send requests to internal network services and potentially disclose sensitive information.

Remediation

Users are advised to upgrade to Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0, 1.21.5, 1.20.10, or 1.19.16. For guidance on upgrading Vault, please refer to the official Vault upgrading documentation.