CVE-2025-49827 (GCVE-0-2025-49827)
Vulnerability from cvelistv5 – Published: 2025-07-15 19:26 – Updated: 2025-11-04 21:11
VLAI?
Summary
Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.22.0 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.5 and 13.6 are vulnerable to bypass of the IAM authenticator. An attacker who can manipulate the headers signed by AWS can take advantage of a malformed regular expression to redirect the authentication validation request that Secrets Manager, Self-Hosted sends to AWS to a malicious server controlled by the attacker. This redirection could result in a bypass of the Secrets Manager, Self-Hosted IAM Authenticator, granting the attacker the permissions granted to the client whose request was manipulated. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.
Severity ?
CWE
- CWE-807 - Reliance on Untrusted Inputs in a Security Decision
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49827",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T20:42:39.221072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T20:42:47.137Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:11:21.326Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/08/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/16/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "conjur",
"vendor": "cyberark",
"versions": [
{
"status": "affected",
"version": "Conjur OSS \u003e= 1.19.5, \u003c 1.22.1"
},
{
"status": "affected",
"version": "Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) \u003e= 13.1, \u003c 13.5.1"
},
{
"status": "affected",
"version": "Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) \u003e= 13.6, \u003c 13.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.22.0 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.5 and 13.6 are vulnerable to bypass of the IAM authenticator. An attacker who can manipulate the headers signed by AWS can take advantage of a malformed regular expression to redirect the authentication validation request that Secrets Manager, Self-Hosted sends to AWS to a malicious server controlled by the attacker. This redirection could result in a bypass of the Secrets Manager, Self-Hosted IAM Authenticator, granting the attacker the permissions granted to the client whose request was manipulated. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T19:26:06.451Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cyberark/conjur/security/advisories/GHSA-gmc5-9mpc-xg75",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cyberark/conjur/security/advisories/GHSA-gmc5-9mpc-xg75"
},
{
"name": "https://github.com/cyberark/conjur/releases/tag/v1.22.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cyberark/conjur/releases/tag/v1.22.1"
}
],
"source": {
"advisory": "GHSA-gmc5-9mpc-xg75",
"discovery": "UNKNOWN"
},
"title": "Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) Vulnerable to Bypass of IAM Authenticator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49827",
"datePublished": "2025-07-15T19:26:06.451Z",
"dateReserved": "2025-06-11T14:33:57.799Z",
"dateUpdated": "2025-11-04T21:11:21.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-49827\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-15T20:15:39.823\",\"lastModified\":\"2025-11-04T22:16:18.750\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.22.0 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.5 and 13.6 are vulnerable to bypass of the IAM authenticator. An attacker who can manipulate the headers signed by AWS can take advantage of a malformed regular expression to redirect the authentication validation request that Secrets Manager, Self-Hosted sends to AWS to a malicious server controlled by the attacker. This redirection could result in a bypass of the Secrets Manager, Self-Hosted IAM Authenticator, granting the attacker the permissions granted to the client whose request was manipulated. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.\"},{\"lang\":\"es\",\"value\":\"Conjur proporciona gesti\u00f3n de secretos e identidad de aplicaciones para infraestructura. Las versiones 1.19.5 a 1.22.0 de Conjur OSS y las versiones 13.1 a 13.5 y 13.6 de Secrets Manager, Self-Hosted (anteriormente Conjur Enterprise) son vulnerables a la omisi\u00f3n del autenticador de IAM. Un atacante que manipule los encabezados firmados por AWS puede aprovechar una expresi\u00f3n regular malformada para redirigir la solicitud de validaci\u00f3n de autenticaci\u00f3n que Secrets Manager, Self-Hosted env\u00eda a AWS a un servidor malicioso controlado por el atacante. Esta redirecci\u00f3n podr\u00eda resultar en una omisi\u00f3n del autenticador de IAM de Secrets Manager, Self-Hosted, otorgando al atacante los permisos otorgados al cliente cuya solicitud fue manipulada. Este problema afecta tanto a Secrets Manager, Self-Hosted (anteriormente Conjur Enterprise) como a Conjur OSS. La versi\u00f3n 1.22.1 de Conjur OSS y las versiones 13.5.1 y 13.6.1 de Secrets Manager, Self-Hosted solucionan el problema.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-807\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cyberark:conjur:*:*:*:*:open_source:*:*:*\",\"versionStartIncluding\":\"1.19.5\",\"versionEndExcluding\":\"1.22.1\",\"matchCriteriaId\":\"6E8A76EE-3B5B-420D-B9D9-60F5048D2643\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cyberark:conjur:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"13.1\",\"versionEndExcluding\":\"13.5.1\",\"matchCriteriaId\":\"6D6189ED-8D56-456E-A3C5-FDB1ADCB440D\"}]}]}],\"references\":[{\"url\":\"https://github.com/cyberark/conjur/releases/tag/v1.22.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/cyberark/conjur/security/advisories/GHSA-gmc5-9mpc-xg75\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/07/16/7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/08/08/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/08/08/1\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2025/07/16/7\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-04T21:11:21.326Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-49827\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-15T20:42:39.221072Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-15T20:42:42.577Z\"}}], \"cna\": {\"title\": \"Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) Vulnerable to Bypass of IAM Authenticator\", \"source\": {\"advisory\": \"GHSA-gmc5-9mpc-xg75\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"cyberark\", \"product\": \"conjur\", \"versions\": [{\"status\": \"affected\", \"version\": \"Conjur OSS \u003e= 1.19.5, \u003c 1.22.1\"}, {\"status\": \"affected\", \"version\": \"Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) \u003e= 13.1, \u003c 13.5.1\"}, {\"status\": \"affected\", \"version\": \"Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) \u003e= 13.6, \u003c 13.6.1\"}]}], \"references\": [{\"url\": \"https://github.com/cyberark/conjur/security/advisories/GHSA-gmc5-9mpc-xg75\", \"name\": \"https://github.com/cyberark/conjur/security/advisories/GHSA-gmc5-9mpc-xg75\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/cyberark/conjur/releases/tag/v1.22.1\", \"name\": \"https://github.com/cyberark/conjur/releases/tag/v1.22.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.22.0 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.5 and 13.6 are vulnerable to bypass of the IAM authenticator. An attacker who can manipulate the headers signed by AWS can take advantage of a malformed regular expression to redirect the authentication validation request that Secrets Manager, Self-Hosted sends to AWS to a malicious server controlled by the attacker. This redirection could result in a bypass of the Secrets Manager, Self-Hosted IAM Authenticator, granting the attacker the permissions granted to the client whose request was manipulated. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-807\", \"description\": \"CWE-807: Reliance on Untrusted Inputs in a Security Decision\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-15T19:26:06.451Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-49827\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-04T21:11:21.326Z\", \"dateReserved\": \"2025-06-11T14:33:57.799Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-15T19:26:06.451Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…