Main Vulnerability Database Vulnerabilities #VU46232

#VU46232 Improper Authentication in Vault - CVE-2020-16250

Published: August 26, 2020 / Updated: September 3, 2020

Vulnerability identifier: #VU46232

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2020-16250

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Vault

Software vendor:
HashiCorp

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..

Remediation

Install update from vendor's website.

External links

https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151
https://www.hashicorp.com/blog/category/vault/

#VU46232 Improper Authentication in Vault - CVE-2020-16250

Description

Remediation

External links

Please verify you're human