CVE-2025-6011

Low CVSS: 3.7

A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Vendor

Hashicorp

Product

Vault

CWE

CWE-203

Yayın Tarihi

2025-08-01 18:15:56

Güncelleme

2025-08-13 18:10:13

Source Identifier

security@hashicorp.com

KEV Date Added

Kategoriler

CWE-203 Vault LOW Hashicorp 2025

Referanslar

https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034

Benzer Kayıtlar

High

CVE-2025-13357

Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by def…

Medium

CVE-2025-13432

Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise w…

Medium

CVE-2025-11374

Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect C…

Medium

CVE-2025-11375

Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum…

High

CVE-2025-12044

Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payload…

High

CVE-2025-11621

Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the co…