216.73.217.22

CVE-2025-3879

· Published 02/05/2025 17:15 · Modified 02/05/2025 17:15

Labels: CVE-2025-3879 2025-05-02CVE-2025-3879CWE-863[email protected]

Essential information

Published
02/05/2025 17:15
Modified
02/05/2025 17:15
Author
Creator
CVSS
6.6 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
hashicorp / vault community cpe:2.3:a:hashicorp:vault_community:1.19.1:*:*:*:*:*:*:*
hashicorp / vault enterprise cpe:2.3:a:hashicorp:vault_enterprise:1.19.1:*:*:*:*:*:*:*
hashicorp / vault enterprise cpe:2.3:a:hashicorp:vault_enterprise:1.18.7:*:*:*:*:*:*:*
hashicorp / vault enterprise cpe:2.3:a:hashicorp:vault_enterprise:1.17.14:*:*:*:*:*:*:*
hashicorp / vault enterprise cpe:2.3:a:hashicorp:vault_enterprise:1.16.18:*:*:*:*:*:*:*

References