HIGH🇬🇧 English

CVE-2025-49830

CVSS 7.1v4.0pub. 2025-07-15upd. 2025-11-04

Conjur provides secrets management and application identity for infrastructure. An authenticated attacker who is able to load policy can use the policy yaml parser to reference files on the Secrets Manager, Self-Hosted server. These references may be used as reconnaissance to better understand the folder structure of the Secrets Manager/Conjur server or to have the yaml parser include files on the server in the yaml that is processed as the policy loads. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Cyberark Conjur

    APP
    Cyberark
    13.6< 1.22.1< 13.5.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Path Traversal
CWE
Referencje

Powiązane podatności

CVE-2025-49827CRITICAL9.1PL ✓ten sam produkt

CyberArk Conjur — bypass uwierzytelniania IAM przez błędne wyrażenie regularne

CVE-2025-49831CRITICAL9.1PL ✓ten sam produkt

CyberArk Conjur – pominięcie uwierzytelnienia przez przekierowanie ruchu (Auth Bypass)

CVE-2025-49828HIGH8.6ten sam produkt

Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 thr...

CVE-2025-49829MEDIUM6.0ten sam produkt

Conjur provides secrets management and application identity for infrastructure. Missing validations in Secrets...

CVE-2019-7442CRITICAL9.8ten sam vendor

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Pass...