CVE-2020-16250
HIGHHashicorp Vault < 1.2.5 - Authentication Bypass by Spoofing
Title source: ruleDescription
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
References (3)
Core 3
Core References
Product, Vendor Advisory x_refsource_misc
https://www.hashicorp.com/blog/category/vault/
Release Notes, Vendor Advisory x_refsource_misc
https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.html
Scores
CVSS v3
8.2
EPSS
0.0236
EPSS Percentile
85.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Details
CWE
CWE-290
CWE-345
Status
published
Products (2)
hashicorp/vault
0.7.1 - 1.2.5 (2 CPE variants)
hashicorp/vault
0.8.1 - 1.2.5Go
Published
Aug 26, 2020
Tracked Since
Feb 18, 2026