CVE-2020-16250
HIGHHashiCorp Vault 0.7.1-1.2.4 - Authentication Bypass via AWS IAM Auth Method
Title source: llmDescription
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
References (3)
Core 3
Core References
Product, Vendor Advisory x_refsource_misc
https://www.hashicorp.com/blog/category/vault/
Release Notes, Vendor Advisory x_refsource_misc
https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.html
Scores
CVSS v3
8.2
EPSS
0.0150
EPSS Percentile
70.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Details
CWE
CWE-290
CWE-345
Status
published
Products (2)
hashicorp/vault
0.7.1 - 1.2.5 (2 CPE variants)
hashicorp/vault
0.8.1 - 1.2.5Go
Published
Aug 26, 2020
Tracked Since
Feb 18, 2026