CVE-2020-25594
First published: Mon Feb 01 2021(Updated: )
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| HashiCorp Vault | <1.5.7 | |
| HashiCorp Vault | <1.5.7 | |
| HashiCorp Vault | >=1.6.0<1.6.2 | |
| HashiCorp Vault | >=1.6.0<1.6.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-25594?
CVE-2020-25594 is a vulnerability in HashiCorp Vault and Vault Enterprise that allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests.
What is the severity of CVE-2020-25594?
The severity of CVE-2020-25594 is medium, with a severity value of 5.3.
How can I fix CVE-2020-25594?
To fix CVE-2020-25594, you need to upgrade to HashiCorp Vault version 1.6.2 or 1.5.7.
Where can I find more information about CVE-2020-25594?
You can find more information about CVE-2020-25594 in the following references: [link1](https://discuss.hashicorp.com/t/hcsec-2021-03-vault-api-endpoint-allowed-enumeration-of-secrets-engine-mount-paths-without-authentication/20336), [link2](https://security.gentoo.org/glsa/202207-01).
- collector/nvd-index
- vendor/hashicorp
- canonical/hashicorp vault
- version/hashicorp vault/1.6.0