CVE-2020-16250
First published: Wed Aug 26 2020(Updated: )
A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM identities and roles may be manipulated and bypass authentication.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/hashicorp/vault | >=1.4.0<1.4.4 | 1.4.4 |
| go/github.com/hashicorp/vault | >=1.3.0<1.3.8 | 1.3.8 |
| go/github.com/hashicorp/vault | >=0.8.1<1.2.5 | 1.2.5 |
| go/github.com/hashicorp/vault | >=1.5.0<1.5.1 | 1.5.1 |
| HashiCorp Vault | >=0.7.1<1.2.5 | |
| HashiCorp Vault | >=0.7.1<1.2.5 | |
| HashiCorp Vault | >=1.3.0<1.3.8 | |
| HashiCorp Vault | >=1.3.0<1.3.8 | |
| HashiCorp Vault | >=1.4.0<1.4.4 | |
| HashiCorp Vault | >=1.4.0<1.4.4 | |
| HashiCorp Vault | >=1.5.0<1.5.1 | |
| HashiCorp Vault | >=1.5.0<1.5.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-16250
- https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151
- https://www.hashicorp.com/blog/category/vault/
- http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.html
- https://github.com/advisories/GHSA-fp52-qw33-mfmw (Advisory)
- https://access.redhat.com/errata/RHSA-2023:3342
- https://access.redhat.com/errata/RHSA-2023:3742
- https://access.redhat.com/security/cve/cve-2020-16250
- https://bugzilla.redhat.com/show_bug.cgi?id=2167337
- https://www.cve.org/CVERecord?id=CVE-2020-16250 https://nvd.nist.gov/vuln/detail/CVE-2020-16250 https://discuss.hashicorp.com/t/hcsec-2020-16-vault-s-aws-auth-method-allows-authentication-bypass/18101
Frequently Asked Questions
What is the vulnerability ID of this flaw?
The vulnerability ID is CVE-2020-16250.
What is the severity level of CVE-2020-16250?
The severity level of CVE-2020-16250 is high, with a CVSS score of 8.2.
Which versions of HashiCorp Vault are affected by CVE-2020-16250?
HashiCorp Vault versions 0.7.1 and newer are affected by CVE-2020-16250.
How can I fix the vulnerability CVE-2020-16250?
To fix the vulnerability CVE-2020-16250, update HashiCorp Vault to versions 1.2.5, 1.3.8, 1.4.4, or 1.5.1.
Where can I find more information about CVE-2020-16250?
You can find more information about CVE-2020-16250 on the CVE website (https://www.cve.org/CVERecord?id=CVE-2020-16250) and NVD website (https://nvd.nist.gov/vuln/detail/CVE-2020-16250).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/github-advisory
- alias/GHSA-fp52-qw33-mfmw
- alias/CVE-2020-16250
- collector/github-advisory-latest
- collector/nvd-api
- collector/nvd-cve
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/redhat-cve
- package-manager/go
- vendor/hashicorp
- canonical/hashicorp vault
- version/hashicorp vault/0.7.1
- version/hashicorp vault/1.3.0
- version/hashicorp vault/1.4.0
- version/hashicorp vault/1.5.0
- package-manager/redhat