PT-2020-17273 · Hashicorp · Vault Enterprise+1

Published

2020-12-17

Updated

2024-06-28

CVE-2020-35177

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions HashiCorp Vault and Vault Enterprise versions 1.4.1 through 1.5.5 HashiCorp Vault and Vault Enterprise versions 1.6.0

Description The issue allows the enumeration of users via the LDAP auth method. It is estimated that a significant number of devices worldwide may be affected, although the exact number is not specified. There is no information provided about real-world incidents where this issue was exploited.

Recommendations For HashiCorp Vault and Vault Enterprise versions 1.4.1 through 1.5.5, update to version 1.5.6 or newer. For HashiCorp Vault and Vault Enterprise version 1.6.0, update to version 1.6.1 or newer. As a temporary workaround, consider restricting access to the LDAP auth method until a patch is available.

Fix

Information Disclosure

Generation of Error Message Containing Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-209

Related Identifiers

BIT-VAULT-2020-35177

CVE-2020-35177

GHSA-RPGP-9HMG-J25X

GO-2024-2508

Affected Products

Hashicorp Vault

Vault Enterprise

PT-2020-17273 · Hashicorp · Vault Enterprise+1

CVE-2020-35177

Weakness Enumeration

Related Identifiers

Affected Products

References · 12