ghsa-fp52-qw33-mfmw
Vulnerability from github
Published
2021-08-02 17:11
Modified
2023-08-29 22:39
Severity
Summary
Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault
Details
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
{ "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/hashicorp/vault" }, "ranges": [ { "events": [ { "introduced": "0.8.1" }, { "fixed": "1.2.5" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/hashicorp/vault" }, "ranges": [ { "events": [ { "introduced": "1.3.0" }, { "fixed": "1.3.8" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/hashicorp/vault" }, "ranges": [ { "events": [ { "introduced": "1.4.0" }, { "fixed": "1.4.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/hashicorp/vault" }, "ranges": [ { "events": [ { "introduced": "1.5.0" }, { "fixed": "1.5.1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2020-16250" ], "database_specific": { "cwe_ids": [ "CWE-290", "CWE-345" ], "github_reviewed": true, "github_reviewed_at": "2021-07-26T18:55:09Z", "nvd_published_at": "2020-08-26T15:15:00Z", "severity": "HIGH" }, "details": "HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..", "id": "GHSA-fp52-qw33-mfmw", "modified": "2023-08-29T22:39:27Z", "published": "2021-08-02T17:11:41Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16250" }, { "type": "PACKAGE", "url": "https://github.com/hashicorp/vault" }, { "type": "WEB", "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151" }, { "type": "WEB", "url": "https://www.hashicorp.com/blog/category/vault" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.html" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "type": "CVSS_V3" } ], "summary": "Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault" }
Loading...