CVE-2022-36130

{"id": "CVE-2022-36130", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2022-09-01T02:15:07.980", "references": [{"url": "https://discuss.hashicorp.com", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://discuss.hashicorp.com/t/hcsec-2022017-boundary-allowed-access-to-host-sets-and-credential-sources-for-authorized-users-of-another-scope/43493", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct scopes, allowing potential privilege escalation for authorized users of another scope. Fixed in Boundary 0.10.2."}, {"lang": "es", "value": "HashiCorp Boundary versiones hasta 0.10.1, no llevaba a cabo apropiadamente las comprobaciones de integridad de los datos para garantizar que los recursos estuvieran asociados a los \u00e1mbitos correctos, lo que permit\u00eda una potencial escalada de privilegios para usuarios autorizados de otro \u00e1mbito. Corregido en Boundary versi\u00f3n 0.10.2"}], "lastModified": "2022-09-09T14:17:42.070", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:boundary:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ACA99134-C390-4EEA-BA71-32CD5550C415", "versionEndExcluding": "0.10.2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}