CVE-2020-35177Information Exposure via Error Message in Hashicorp Vault

CWE-209Information Exposure via Error MessageCWE-200Sensitive Information Exposure5 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.4%
top 39.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Hashicorp VaultHashicorp Vault
Timeline
PublishedDec 17
Latest updateJun 28

Description

HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDhashicorp/vault1.5.01.5.6+1
Gogithub.com/hashicorp_vault1.5.01.5.6+1

🔴Vulnerability Details

3
OSV
Enumeration of users in HashiCorp Vault in github.com/hashicorp/vault2024-06-28
OSV
Enumeration of users in HashiCorp Vault2024-01-31
GHSA
Enumeration of users in HashiCorp Vault2024-01-31

📋Vendor Advisories

1
Red Hat
vault: Enumeration of users via the LDAP auth method2020-12-17