CVE-2025-6013

Medium CVSS: 6.5

Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.

Vendor

Hashicorp

Product

Vault

CWE

CWE-156

Yayın Tarihi

2025-08-06 10:15:35

Güncelleme

2025-12-15 16:13:23

Source Identifier

security@hashicorp.com

KEV Date Added

Kategoriler

CWE-156 Vault MEDIUM Hashicorp 2025

Referanslar

https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092

Benzer Kayıtlar

High

CVE-2025-13357

Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by def…

Medium

CVE-2025-13432

Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise w…

Medium

CVE-2025-11374

Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect C…

Medium

CVE-2025-11375

Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum…

High

CVE-2025-12044

Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payload…

High

CVE-2025-11621

Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the co…