|
|
|
|
|
|
by cipherboy
318 days ago
|
|
|
Yes and https://discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-aut... was an earlier authN+authZ bypass in the same code block. So maybe one step down in severity, though I do not know the details of what HCSEC-2024-05 was fixed with as that was after the fork point. OpenBao moved to full cert pinning (constant-time cert.Raw comparisons) when remediating that one, which meant we were not affected by this variant. |
|
|