{
  "threat_severity" : "Low",
  "public_date" : "2021-08-13T00:00:00Z",
  "bugzilla" : {
    "description" : "vault: UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser",
    "id" : "1995207",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1995207"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-200",
  "details" : [ "HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.", "A flaw was found in the vault package. The Vault UI web application may fail to completely clear a client-side data cache on user logout. As a result, an authenticated user sharing a browser to access Vault may have been able to view the previous authenticated user’s cached secrets, even if they were not authorized by Vault policies to view them." ],
  "statement" : "The Vault deployments that do not enable the Vault UI are not affected by this issue.",
  "package_state" : [ {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/logging-loki-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "OpenShift Service Mesh 2.0",
    "fix_state" : "Not affected",
    "package_name" : "servicemesh",
    "cpe" : "cpe:/a:redhat:service_mesh:2.0"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "vault",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-installer",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/topology-aware-lifecycle-manager-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ocs4/cephcsi-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ocs4/mcg-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ocs4/ocs-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ocs4/rook-ceph-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/cephcsi-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/mcg-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/ocs-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/odf-multicluster-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/odf-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/odr-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/rook-ceph-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-38554\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-38554\nhttps://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166" ],
  "name" : "CVE-2021-38554",
  "csaw" : false
}