PT-2025-29672 · Cyberark · Conjur Oss+1
Shahar Tal
+1
·
Published
2025-07-15
·
Updated
2025-08-08
·
CVE-2025-49830
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Conjur Secrets Manager, Self-Hosted versions prior to 13.5.1 and 13.6.1
Conjur OSS versions prior to 1.22.1
Description
Conjur provides secrets management and application identity for infrastructure. An authenticated attacker who is able to load policy can use the policy YAML parser to reference files on the Secrets Manager, Self-Hosted server. These references may be used for reconnaissance to understand the folder structure of the Secrets Manager/Conjur server or to have the YAML parser include files on the server in the YAML that is processed when the policy loads.
Recommendations
Upgrade Conjur Secrets Manager, Self-Hosted to version 13.5.1 or 13.6.1.
Upgrade Conjur OSS to version 1.22.1.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Conjur Oss
Conjur Secrets Manager