CVE-2020-16250

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*

History

21 Nov 2024, 05:07

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.html - Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.html - Third Party Advisory, VDB Entry
References () https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151 - Release Notes, Vendor Advisory () https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151 - Release Notes, Vendor Advisory
References () https://www.hashicorp.com/blog/category/vault/ - Product, Vendor Advisory () https://www.hashicorp.com/blog/category/vault/ - Product, Vendor Advisory

29 Aug 2023, 17:13

Type Values Removed Values Added
CVSS v2 : 7.5
v3 : 9.8
v2 : 7.5
v3 : 8.2

Information

Published : 2020-08-26 15:15

Updated : 2024-11-21 05:07


NVD link : CVE-2020-16250

Mitre link : CVE-2020-16250

CVE.ORG link : CVE-2020-16250


JSON object : View

Products Affected

hashicorp

  • vault
CWE
CWE-290

Authentication Bypass by Spoofing

CWE-345

Insufficient Verification of Data Authenticity