Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NHashicorp Vault
APPHashicorp1.10.0 – 1.15.161.10.0 – 1.20.2 (bez)1.16.0 – 1.16.24 (bez)1.17.0 – 1.18.13 (bez)1.19.0 – 1.19.8 (bez)1.20.0 – 1.20.2 (bez)
Related vulnerabilities
HashiCorp Vault: RCE przez uprzywilejowanego operatora via sys/audit
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity...
HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an...
The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vaul...
HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorre...