{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34345?format=json","vulnerability_id":"VCID-bfm3-2zvj-5bca","summary":"Incorrect Privilege Assignment in HashiCorp Vault\nHashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.","aliases":[{"alias":"CVE-2021-42135"},{"alias":"GHSA-362v-wg5p-64w2"}],"fixed_packages":[],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373312?format=json","purl":"pkg:alpm/archlinux/vault@1.7.3-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4795-vxdy-w7g3"},{"vulnerability":"VCID-bfm3-2zvj-5bca"},{"vulnerability":"VCID-rk2n-tuu9-fbdc"},{"vulnerability":"VCID-xerz-1x1v-uuap"},{"vulnerability":"VCID-xk9c-q66v-3kcx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/vault@1.7.3-1"}],"references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-42135.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-42135.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-42135","reference_id":"","reference_type":"","scores":[{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39895","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.4027","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40282","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40243","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40224","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40271","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.4024","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40164","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39991","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39976","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.4011","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.4026","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40284","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40207","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40259","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-42135"},{"reference_url":"https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards"},{"reference_url":"https://github.com/hashicorp/vault","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/hashicorp/vault"},{"reference_url":"https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#180","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#180"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42135","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42135"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2015885","reference_id":"2015885","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2015885"},{"reference_url":"https://security.archlinux.org/AVG-2457","reference_id":"AVG-2457","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2457"}],"weaknesses":[{"cwe_id":266,"name":"Incorrect Privilege Assignment","description":"A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor."},{"cwe_id":863,"name":"Incorrect Authorization","description":"The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions."}],"exploits":[],"severity_range_score":"4.0 - 8.9","exploitability":"0.5","weighted_severity":"8.0","risk_score":4.0,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bfm3-2zvj-5bca"}