Main Vulnerability Database Vulnerabilities #VU46233

#VU46233 Improper Authentication in Vault - CVE-2020-16251

Published: August 26, 2020 / Updated: September 3, 2020

Vulnerability identifier: #VU46233

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2020-16251

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Vault

Software vendor:
HashiCorp

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.

Remediation

Install update from vendor's website.

External links

https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151
https://www.hashicorp.com/blog/category/vault/

#VU46233 Improper Authentication in Vault - CVE-2020-16251

Description

Remediation

External links

Please verify you're human