CVE-2020-16250
Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault
8.2
HIGH
CVSS 3.1
EPSS 2.2%
Description
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
How to fix CVE-2020-16250
To remediate CVE-2020-16250, upgrade the affected package to a fixed version below.
- —upgrade to 1.2.5 or later
- —upgrade to 1.2.5 or later
- —upgrade to 1.2.5 or later
Is CVE-2020-16250 being exploited?
Low — EPSS is 2.2%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 0.7.1, < 1.2.5, >= 1.3.0, < 1.3.8, >= 1.4.0, < 1.4.4, >= 1.5.0, < 1.5.1
- >= 0.8.1, < 1.2.5
- >= 0.8.1, < 1.2.5, >= 1.3.0, < 1.3.8, >= 1.4.0, < 1.4.4, >= 1.5.0, < 1.5.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N |