Skip to content

Commit a2a4914

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-f9ch-h8j7-8jwg GHSA-gcqf-f89c-68hv
1 parent aad237a commit a2a4914

File tree

2 files changed

+58
-8
lines changed

2 files changed

+58
-8
lines changed

advisories/unreviewed/2025/05/GHSA-f9ch-h8j7-8jwg/GHSA-f9ch-h8j7-8jwg.json renamed to advisories/github-reviewed/2025/05/GHSA-f9ch-h8j7-8jwg/GHSA-f9ch-h8j7-8jwg.json

Lines changed: 29 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-f9ch-h8j7-8jwg",
4-
"modified": "2025-05-02T18:31:38Z",
4+
"modified": "2025-05-02T19:32:38Z",
55
"published": "2025-05-02T18:31:38Z",
66
"aliases": [
77
"CVE-2025-3879"
88
],
9+
"summary": "Hashicorp Vault Community vulnerable to Incorrect Authorization",
910
"details": "Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/hashicorp/vault"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.10.0"
29+
},
30+
{
31+
"fixed": "1.19.1"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
@@ -22,15 +43,19 @@
2243
{
2344
"type": "WEB",
2445
"url": "https://discuss.hashicorp.com/t/hcsec-2025-07-vault-s-azure-authentication-method-bound-location-restriction-could-be-bypassed-on-login/74716"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/hashicorp/vault"
2550
}
2651
],
2752
"database_specific": {
2853
"cwe_ids": [
2954
"CWE-863"
3055
],
3156
"severity": "MODERATE",
32-
"github_reviewed": false,
33-
"github_reviewed_at": null,
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2025-05-02T19:32:37Z",
3459
"nvd_published_at": "2025-05-02T17:15:51Z"
3560
}
3661
}

advisories/unreviewed/2025/05/GHSA-gcqf-f89c-68hv/GHSA-gcqf-f89c-68hv.json renamed to advisories/github-reviewed/2025/05/GHSA-gcqf-f89c-68hv/GHSA-gcqf-f89c-68hv.json

Lines changed: 29 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-gcqf-f89c-68hv",
4-
"modified": "2025-05-02T15:31:49Z",
4+
"modified": "2025-05-02T19:31:47Z",
55
"published": "2025-05-02T15:31:49Z",
66
"aliases": [
77
"CVE-2025-4166"
88
],
9+
"summary": "Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information",
910
"details": "Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/hashicorp/vault"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0.3.0"
29+
},
30+
{
31+
"fixed": "1.19.3"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
@@ -22,15 +43,19 @@
2243
{
2344
"type": "WEB",
2445
"url": "https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/hashicorp/vault"
2550
}
2651
],
2752
"database_specific": {
2853
"cwe_ids": [
2954
"CWE-209"
3055
],
3156
"severity": "MODERATE",
32-
"github_reviewed": false,
33-
"github_reviewed_at": null,
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2025-05-02T19:31:47Z",
3459
"nvd_published_at": "2025-05-02T15:15:50Z"
3560
}
3661
}

0 commit comments

Comments
 (0)