CVE-2022-30689

HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. Fixed in 1.10.3.

Published: May 17, 2022
Updated: May 9, 2024
CVE: CVE-2022-30689
GHSA: GHSA-c5wc-v287-82pc
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
hashicorp / vault	1.10.0	1.10.3
github.com/hashicorp/vault	1.10.0	1.10.3

https://discuss.hashicorp.com
https://github.com/hashicorp/vault/commit/15baea5fa3e71c837c33b8bcbd8f06e0fbbc110d
https://security.gentoo.org/glsa/202207-01
https://security.netapp.com/advisory/ntap-20220629-0006/

Vulnerability Database

CVE-2022-30689