CVE-2020-16250
published 2020-08-26CVE-2020-16250: HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed…
PriorityP350high8.2CVSS 3.1
AVNACLPRNUINSUCLIHAN
EPSS
1.46%
70.3th percentile
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 0.8.1 < 1.2.5 | 1.2.5 |
| github.com | hashicorp_vault | >= 1.3.0 < 1.3.8 | 1.3.8 |
| github.com | hashicorp_vault | >= 1.4.0 < 1.4.4 | 1.4.4 |
| github.com | hashicorp_vault | >= 1.5.0 < 1.5.1 | 1.5.1 |
| hashicorp | vault | >= 0.7.1 < 1.2.5 | 1.2.5 |
| hashicorp | vault | >= 1.3.0 < 1.3.8 | 1.3.8 |
| hashicorp | vault | >= 1.4.0 < 1.4.4 | 1.4.4 |
| hashicorp | vault | >= 1.5.0 < 1.5.1 | 1.5.1 |
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault
osv·2024-08-21
CVE-2020-16250 Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault
Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault
Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault
GHSA
Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault
ghsa·2021-08-02
CVE-2020-16250 [HIGH] CWE-290 Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault
Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
OSV
Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault
osv·2021-08-02
CVE-2020-16250 [HIGH] Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault
Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
Project0
Enter the Vault: Authentication Issues in HashiCorp Vault - Project Zero
project_zero·2020-10-01·CVSS 8.2
CVE-2020-16250 [HIGH] Enter the Vault: Authentication Issues in HashiCorp Vault - Project Zero
Posted by Felix Wilhelm, Project Zero
## Introduction
In this blog post I'll discuss two vulnerabilities in HashiCorp Vault and its integration with Amazon Web Services (AWS) and Google Cloud Platform (GCP). These issues can lead to an authentication bypass in configurations that use the aws and gcp auth methods, and demonstrate the type of issues you can find in modern “cloud-native” software. Both vulnerabilities (CVE-2020-16250/16251) were addressed by HashiCorp and are fixed in Vault versions 1.2.5, 1.3.8, 1.4.4 and 1.5.1 released in August.
Vault is a widely used tool for securely storing, generating and accessing secrets such as API keys, passwords or certificates. It can be used as a shared password manager for human users, but its feature set is optimized for API based access b
Red Hat
vault: Hashicorp Vault AWS IAM Integration Authentication Bypass
vendor_redhat·2020-08-26·CVSS 8.2
CVE-2020-16250 [HIGH] CWE-290 vault: Hashicorp Vault AWS IAM Integration Authentication Bypass
vault: Hashicorp Vault AWS IAM Integration Authentication Bypass
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM identities and roles may be manipulated and bypass authentication.
Package: openshift-logging/logging-loki-rhel9 (Logging Subsystem for Red Hat OpenShift) - Not affected
Package: openshift4/ose-installer-rhel9 (Red Hat OpenShift Container Platform 4) - Not affected
Package: ocs4/cephcsi-rhel8 (Red Hat Openshift Containe
No detection rules found.
No public exploits indexed.
Trailofbits
Unexpected security footguns in Go's parsers
blogs_trailofbits·2025-06-18·CVSS 8.2
CVE-2020-16250 [HIGH] Unexpected security footguns in Go's parsers
In Go applications, parsing untrusted data creates a dangerous attack surface that’s routinely exploited in the wild. During our security assessments, we’ve repeatedly exploited unexpected behaviors in Go’s JSON, XML, and YAML parsers to bypass authentication, circumvent authorization controls, and exfiltrate sensitive data from production systems.
These aren’t theoretical issues—they’ve led to documented vulnerabilities like CVE-2020-16250 (a Hashicorp Vault authentication bypass found by Google’s Project Zero) and numerous high-impact findings in our client engagements.
This post contextualizes these unexpected parser behaviors through three attack scenarios that every security engineer and Go developer should understand:
1. (Un)Marshaling unexpected data: How Go parsers can expose da
Trailofbits
Unexpected security footguns in Go's parsers
blogs_trailofbits·2025-06-17·CVSS 8.2
CVE-2020-16250 [HIGH] Unexpected security footguns in Go's parsers
In Go applications, parsing untrusted data creates a dangerous attack surface that’s routinely exploited in the wild. During our security assessments, we’ve repeatedly exploited unexpected behaviors in Go’s JSON, XML, and YAML parsers to bypass authentication, circumvent authorization controls, and exfiltrate sensitive data from production systems.
These aren’t theoretical issues—they’ve led to documented vulnerabilities like CVE-2020-16250 (a Hashicorp Vault authentication bypass found by Google’s Project Zero) and numerous high-impact findings in our client engagements.
This post contextualizes these unexpected parser behaviors through three attack scenarios that every security engineer and Go developer should understand:
(Un)Marshaling unexpected data : How Go parsers can expose data
http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.htmlhttps://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151https://www.hashicorp.com/blog/category/vault/http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.htmlhttps://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151https://www.hashicorp.com/blog/category/vault/
2020-08-26
Published