csaf_certbund - wid-sec-w-2025-2396

wid-sec-w-2025-2396

Vulnerability from csaf_certbund

Published

2025-10-23 22:00

Modified

2025-11-24 23:00

Summary

Hashicorp Vault: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Vault ist ein identitätsbasiertes System zur Verwaltung von Geheimnissen und Verschlüsselung.

Angriff

Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Hashicorp Vault ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen.

Betroffene Betriebssysteme

- Sonstiges - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Vault ist ein identit\u00e4tsbasiertes System zur Verwaltung von Geheimnissen und Verschl\u00fcsselung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Hashicorp Vault ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-2396 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2396.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-2396 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2396"
      },
      {
        "category": "external",
        "summary": "Hashicorp Security Advisory vom 2025-10-23",
        "url": "https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709"
      },
      {
        "category": "external",
        "summary": "Hashicorp Security Advisory vom 2025-10-23",
        "url": "https://discuss.hashicorp.com/t/hcsec-2025-31-vault-vulnerable-to-denial-of-service-due-to-rate-limit-regression/76710"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:21984 vom 2025-11-24",
        "url": "https://access.redhat.com/errata/RHSA-2025:21984"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:21981 vom 2025-11-24",
        "url": "https://access.redhat.com/errata/RHSA-2025:21981"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:21976 vom 2025-11-24",
        "url": "https://access.redhat.com/errata/RHSA-2025:21976"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:21988 vom 2025-11-24",
        "url": "https://access.redhat.com/errata/RHSA-2025:21988"
      }
    ],
    "source_lang": "en-US",
    "title": "Hashicorp Vault: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-11-24T23:00:00.000+00:00",
      "generator": {
        "date": "2025-11-25T08:37:13.360+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2025-2396",
      "initial_release_date": "2025-10-23T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-10-23T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-10-26T23:00:00.000+00:00",
          "number": "2",
          "summary": "CVSSv3.1 korrigiert"
        },
        {
          "date": "2025-11-24T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Community Edition \u003c1.21.0",
                "product": {
                  "name": "Hashicorp Vault Community Edition \u003c1.21.0",
                  "product_id": "T048100"
                }
              },
              {
                "category": "product_version",
                "name": "Community Edition 1.21.0",
                "product": {
                  "name": "Hashicorp Vault Community Edition 1.21.0",
                  "product_id": "T048100-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hashicorp:vault:community_edition__1.21.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Enterprise \u003c1.21.0",
                "product": {
                  "name": "Hashicorp Vault Enterprise \u003c1.21.0",
                  "product_id": "T048101"
                }
              },
              {
                "category": "product_version",
                "name": "Enterprise 1.21.0",
                "product": {
                  "name": "Hashicorp Vault Enterprise 1.21.0",
                  "product_id": "T048101-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hashicorp:vault:enterprise__1.21.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Enterprise \u003c1.19.11",
                "product": {
                  "name": "Hashicorp Vault Enterprise \u003c1.19.11",
                  "product_id": "T048102"
                }
              },
              {
                "category": "product_version",
                "name": "Enterprise 1.19.11",
                "product": {
                  "name": "Hashicorp Vault Enterprise 1.19.11",
                  "product_id": "T048102-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hashicorp:vault:enterprise__1.19.11"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Enterprise \u003c1.16.27",
                "product": {
                  "name": "Hashicorp Vault Enterprise \u003c1.16.27",
                  "product_id": "T048103"
                }
              },
              {
                "category": "product_version",
                "name": "Enterprise 1.16.27",
                "product": {
                  "name": "Hashicorp Vault Enterprise 1.16.27",
                  "product_id": "T048103-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hashicorp:vault:enterprise__1.16.27"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Enterprise \u003c1.20.5",
                "product": {
                  "name": "Hashicorp Vault Enterprise \u003c1.20.5",
                  "product_id": "T048106"
                }
              },
              {
                "category": "product_version",
                "name": "Enterprise 1.20.5",
                "product": {
                  "name": "Hashicorp Vault Enterprise 1.20.5",
                  "product_id": "T048106-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hashicorp:vault:enterprise__1.20.5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Vault"
          }
        ],
        "category": "vendor",
        "name": "Hashicorp"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-11621",
      "product_status": {
        "known_affected": [
          "67646",
          "T048102",
          "T048101",
          "T048100",
          "T048106",
          "T048103"
        ]
      },
      "release_date": "2025-10-23T22:00:00.000+00:00",
      "title": "CVE-2025-11621"
    },
    {
      "cve": "CVE-2025-12044",
      "product_status": {
        "known_affected": [
          "67646",
          "T048102",
          "T048101",
          "T048100",
          "T048106",
          "T048103"
        ]
      },
      "release_date": "2025-10-23T22:00:00.000+00:00",
      "title": "CVE-2025-12044"
    }
  ]
}

CVE-2025-11621 (GCVE-0-2025-11621)

Vulnerability from cvelistv5

Published

2025-10-23 19:08

Modified

2025-10-24 03:55

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

Summary

Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27

References

URL

Tags

https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709

Impacted products

Vendor

Product

Version

Version: 0.6.0 ≤

Version: 0.6.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11621",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-23T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-24T03:55:22.629Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "lessThan": "1.21.0",
              "status": "affected",
              "version": "0.6.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault Enterprise",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.20.5",
                  "status": "unaffected"
                },
                {
                  "at": "1.19.11",
                  "status": "unaffected"
                },
                {
                  "at": "1.16.27",
                  "status": "unaffected"
                }
              ],
              "lessThan": "1.21.0",
              "status": "affected",
              "version": "0.6.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eVault and Vault Enterprise\u2019s (\u201cVault\u201d) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27\u003c/p\u003e\u003cbr/\u003e"
            }
          ],
          "value": "Vault and Vault Enterprise\u2019s (\u201cVault\u201d) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115: Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-23T19:08:54.989Z",
        "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "shortName": "HashiCorp"
      },
      "references": [
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709"
        }
      ],
      "source": {
        "advisory": "HCSEC-2025-30",
        "discovery": "EXTERNAL"
      },
      "title": "Vault AWS auth method bypass due to AWS client cache"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
    "assignerShortName": "HashiCorp",
    "cveId": "CVE-2025-11621",
    "datePublished": "2025-10-23T19:08:54.989Z",
    "dateReserved": "2025-10-10T19:48:57.601Z",
    "dateUpdated": "2025-10-24T03:55:22.629Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-12044 (GCVE-0-2025-12044)

Vulnerability from cvelistv5

Published

2025-10-23 19:15

Modified

2025-10-23 20:00

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Summary

Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393] which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0.

References

URL

Tags

https://discuss.hashicorp.com/t/hcsec-2025-31-vault-vulnerable-to-denial-of-service-due-to-rate-limit-regression/76710

Impacted products

Vendor

Product

Version

HashiCorp

Vault

Version: 1.20.3 ≤

HashiCorp

Vault Enterprise

Version: 1.20.3   ≤
Version: 1.19.9   ≤
Version: 1.18.14   ≤
Version: 1.16.25   ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12044",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-23T19:57:38.994628Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-23T20:00:16.601Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "lessThan": "1.21.0",
              "status": "affected",
              "version": "1.20.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault Enterprise",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.20.5",
                  "status": "unaffected"
                }
              ],
              "lessThan": "1.21.0",
              "status": "affected",
              "version": "1.20.3",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "1.19.11",
                  "status": "unaffected"
                }
              ],
              "lessThan": "1.19.11",
              "status": "affected",
              "version": "1.19.9",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "1.18.15",
                  "status": "affected"
                }
              ],
              "lessThan": "1.18.15",
              "status": "affected",
              "version": "1.18.14",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "1.16.27",
                  "status": "unaffected"
                }
              ],
              "lessThan": "1.16.27",
              "status": "affected",
              "version": "1.16.25",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eVault and Vault Enterprise (\u201cVault\u201d) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393]\u00a0 which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0.\u003c/p\u003e\u003cbr/\u003e"
            }
          ],
          "value": "Vault and Vault Enterprise (\u201cVault\u201d) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393]\u00a0 which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130: Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-23T19:15:16.567Z",
        "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "shortName": "HashiCorp"
      },
      "references": [
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2025-31-vault-vulnerable-to-denial-of-service-due-to-rate-limit-regression/76710"
        }
      ],
      "source": {
        "advisory": "HCSEC-2025-31",
        "discovery": "EXTERNAL"
      },
      "title": "Vault Vulnerable to Denial of Service Due to Rate Limit Regression"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
    "assignerShortName": "HashiCorp",
    "cveId": "CVE-2025-12044",
    "datePublished": "2025-10-23T19:15:16.567Z",
    "dateReserved": "2025-10-21T19:12:21.827Z",
    "dateUpdated": "2025-10-23T20:00:16.601Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

wid-sec-w-2025-2396

Vulnerability from csaf_certbund

CVE-2025-11621 (GCVE-0-2025-11621)

Vulnerability from cvelistv5

CVE-2025-12044 (GCVE-0-2025-12044)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature