{"id":"GHSA-38j9-7pp9-2hjw","summary":"Invalid session token expiration ","details":"HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.","aliases":["BIT-vault-2021-32923","CVE-2021-32923","GO-2022-0623"],"modified":"2026-02-04T02:30:06.770822Z","published":"2021-06-08T18:52:05Z","related":["CGA-v8p9-4843-p8j6"],"database_specific":{"cwe_ids":["CWE-613"],"github_reviewed_at":"2021-06-04T18:42:40Z","severity":"HIGH","github_reviewed":true,"nvd_published_at":"2021-06-03T11:15:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32923"},{"type":"WEB","url":"https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603"},{"type":"WEB","url":"https://security.gentoo.org/glsa/202207-01"},{"type":"WEB","url":"https://www.hashicorp.com/blog/category/vault"}],"affected":[{"package":{"name":"github.com/hashicorp/vault","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/vault"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.7.0"},{"fixed":"1.7.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-38j9-7pp9-2hjw/GHSA-38j9-7pp9-2hjw.json"}},{"package":{"name":"github.com/hashicorp/vault","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/vault"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.6.0"},{"fixed":"1.6.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-38j9-7pp9-2hjw/GHSA-38j9-7pp9-2hjw.json"}},{"package":{"name":"github.com/hashicorp/vault","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/vault"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.10.0"},{"fixed":"1.5.9"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-38j9-7pp9-2hjw/GHSA-38j9-7pp9-2hjw.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}