hashicorp · pmmukh · Dec 8, 2021 · Dec 8, 2021 · Dec 8, 2021 · Dec 8, 2021
@@ -20,11 +20,13 @@ Each user may have multiple accounts with various identity providers, and Vault
 supports many of those providers to authenticate with Vault. Vault Identity can
 tie authentications from various auth methods to a single representation. This representation of a consolidated identity is called an **Entity** and their
 corresponding accounts with authentication providers can be mapped as
-**Aliases**. In essence, each entity is made up of zero or more aliases. 
+**Aliases**. In essence, each entity is made up of zero or more aliases. An entity cannot have more than one alias for
+a particular authentication backend.
 
 For example, a user with accounts in both GitHub and LDAP can be mapped to a
 single entity in Vault with two aliases, one of type GitHub and one of type
-LDAP.
+LDAP. Note however, if both aliases are created on the same auth mount, say
+a Github mount, both aliases cannot be mapped to the same entity.
 
 ![Entity  overview](/img/vault-identity-doc-1.png)
 

@@ -1,15 +1,15 @@
 ---
 layout: docs
-page_title: Upgrading to Vault 1.7.0 - Guides
+page_title: Upgrading to Vault 1.7.x - Guides
 description: |-
   This page contains the list of deprecations and important or breaking changes
-  for Vault 1.7.0. Please read it carefully.
+  for Vault 1.7.x. Please read it carefully.
 ---
 
 # Overview
 
 This page contains the list of deprecations and important or breaking changes
-for Vault 1.7.0 compared to 1.6. Please read it carefully.
+for Vault 1.7.x compared to 1.6. Please read it carefully.
 
 ## Barrier Key Auto-Rotation
 
@@ -31,6 +31,8 @@ endpoint changes is available in the [AWS Auth API docs](/api-docs/auth/aws#depr
 
 @include 'alpine-314.mdx'
 
+@include 'entity-alias-mapping.mdx'
+
 ## Known Issues
 
 Due to the known issue, Transform Secrets Engine users are recommended to upgrade to version 1.7.0.
@@ -48,3 +50,4 @@ Due to the known issue, Lease Count Quota users with DR Secondaries are recommen
 @include 'transform-upgrade.mdx'
 
 @include 'lease-count-quota-upgrade.mdx'
+
@@ -1,15 +1,15 @@
 ---
 layout: docs
-page_title: Upgrading to Vault 1.8.0 - Guides
+page_title: Upgrading to Vault 1.8.x - Guides
 description: |-
   This page contains the list of deprecations and important or breaking changes
-  for Vault 1.8.0. Please read it carefully.
+  for Vault 1.8.x. Please read it carefully.
 ---
 
 # Overview
 
 This page contains the list of deprecations and important or breaking changes
-for Vault 1.8.0 compared to 1.7. Please read it carefully.
+for Vault 1.8.x compared to 1.7. Please read it carefully.
 
 ## License Enhancements
 
@@ -40,6 +40,9 @@ Notes](https://golang.org/doc/go1.16) for full details. Of particular note:
 
 @include 'alpine-314.mdx'
 
+
+@include 'entity-alias-mapping.mdx'
+
 ## Known Issues
 
 - MSSQL integrations (storage and secrets engine) will crash with a "panic: not implemented" error

@@ -1,15 +1,15 @@
 ---
 layout: docs
-page_title: Upgrading to Vault 1.9.0 - Guides
+page_title: Upgrading to Vault 1.9.x - Guides
 description: |-
   This page contains the list of deprecations and important or breaking changes
-  for Vault 1.9.0. Please read it carefully.
+  for Vault 1.9.x. Please read it carefully.
 ---
 
 # Overview
 
 This page contains the list of deprecations and important or breaking changes
-for Vault 1.9.0 compared to 1.8. Please read it carefully.
+for Vault 1.9.x compared to 1.8. Please read it carefully.
 
 ## OIDC Provider
 
@@ -56,6 +56,8 @@ To re-enable the old behavior, update the roles with a value
 of `"*"` to the `allowed_extensions` parameter allowing any/all extensions to be
 specified by clients.
 
+@include 'entity-alias-mapping.mdx'
+
 ## Deprecations
 
 ### HTTP Request Counter Deprecation
@@ -92,3 +94,4 @@ Additionally, Go has begun doing automated cipher suite ordering and no longer
 respects the order of suites given in `tls_cipher_suites`.
 
 See [this blog post](https://go.dev/blog/tls-cipher-suites) for more information.
+
@@ -0,0 +1,7 @@
+## Entity Alias mapping
+
+Previously, an entity in Vault could be mapped to multiple entity aliases on the same authentication backend. This
+led to a potential security vulnerability (CVE-2021-43998), as ACL policies templated with alias information would match the first
+alias created. Thus, tokens created from all aliases of the entity, will have access to the paths containing alias 
+metadata of the first alias due to templated policies being incorrectly applied. As a result, the mapping behavior was updated 
+such that an entity can only have one alias per authentication backend. This change exists in Vault 1.9.0+, 1.8.5+ and 1.7.6+.
diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json
@@ -1470,16 +1470,16 @@
         "path": "upgrading/plugins"
       },
       {
-        "title": "Upgrade to 1.9.0",
-        "path": "upgrading/upgrade-to-1.9.0"
+        "title": "Upgrade to 1.9.x",
+        "path": "upgrading/upgrade-to-1.9.x"
       },
       {
-        "title": "Upgrade to 1.8.0",
-        "path": "upgrading/upgrade-to-1.8.0"
+        "title": "Upgrade to 1.8.x",
+        "path": "upgrading/upgrade-to-1.8.x"
       },
       {
-        "title": "Upgrade to 1.7.0",
-        "path": "upgrading/upgrade-to-1.7.0"
+        "title": "Upgrade to 1.7.x",
+        "path": "upgrading/upgrade-to-1.7.x"
       },
       {
         "title": "Upgrade to 1.6.3",