CNNVD-202510-3222 Information
CNNVD ID
CNNVD-202510-3222
Related CVE
- CNNVD Published: 2025-10-23
Description (Chinese)
HashiCorp Vault Enterprise是美国HashiCorp公司的一个企业信息归档平台。 HashiCorp Vault Enterprise 1.21.0版本、1.20.5版本、1.19.11版本和1.16.27版本存在安全漏洞,该漏洞源于AWS Auth方法中配置的bound_principal_iam角色在AWS账户间相同或使用通配符,可能导致身份验证绕过。
Description (English)
HashiCorpVault Enterprise is a corporate information archiving platform of the United States company HashiCorp. HashiCorpVault Enterprise Version 1.21.0, 1.20.5, 1.19.11 and 1.16.27 have a security loophole, which originates from the use of the same or wildcards in the AWS account by the use of the bound principal iam roles assigned to the AWSAuth method, which may lead to the circumvention of identification.
Hazard Level
Medium
Vulnerability Type
其他
Affected Vendor
HashiCorp
Published
2025-10-23
Last Modified
2026-02-24
References
https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709 https://access.redhat.com/security/cve/cve-2025-11621
Patch
https://www.hashicorp.com/en/products/vault
Share on: