CVE-2025-49828

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-49828

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49828.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-49828

Aliases

GHSA-93hx-v9pv-qrm4

Published

2025-07-15T19:35:33.147Z

Modified

2026-04-10T05:29:39.697886Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) Vulnerable to Remote Code Execution

Details

Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.4.1 are vulnerable to remote code execution An authenticated attacker who can inject secrets or templates into the Secrets Manager, Self-Hosted database could take advantage of an exposed API endpoint to execute arbitrary Ruby code within the Secrets Manager process. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.21.2 and Secrets Manager, Self-Hosted version 13.5 fix the issue.

Database specific

{
    "cwe_ids": [
        "CWE-1336"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49828.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/cyberark/conjur

Affected ranges

Type

GIT

Repo

https://github.com/cyberark/conjur

Events

Introduced

Fixed

4a4fd0ef5777f206dc773e504e6d17e8fa28f00a

Database specific

{
    "versions": [
        {
            "introduced": "1.20.1"
        },
        {
            "fixed": "1.21.2"
        }
    ]
}

Affected versions

1.*

1.2.0

Other

delete

v0.*

v0.2.0

v0.3.0

v0.6.0

v0.7.0

v0.8.0

v0.8.1

v0.9.0

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.1.1

v1.1.2

v1.10.0

v1.11.0

v1.11.1

v1.11.2

v1.11.3

v1.11.4

v1.11.5

v1.11.6

v1.11.7

v1.12.0

v1.13.0

v1.13.1

v1.14.0

v1.14.1

v1.14.2

v1.15.0

v1.16.0-2224

v1.16.0-2233

v1.16.0-2238

v1.16.0-2258

v1.16.0-2264

v1.16.0-2265

v1.16.0-2266

v1.16.0-2271

v1.16.0-2280

v1.16.0-2281

v1.16.0-2286

v1.17.0-2299

v1.17.1-2301

v1.17.1-2305

v1.17.1-2306

v1.17.1-2307

v1.17.1-2312

v1.17.1-2314

v1.17.2-2321

v1.17.2-2323

v1.17.2-2324

v1.17.2-2330

v1.17.2-2341

v1.17.2-2371

v1.17.2-2380

v1.17.2-2401

v1.17.2-2408

v1.17.2-2468

v1.17.2-2477

v1.17.3

v1.17.3-2478

v1.17.3-2484

v1.17.3-2498

v1.17.4-2500

v1.17.5-2503

v1.17.5-2515

v1.17.5-2521

v1.17.6

v1.17.6-2525

v1.17.6-2555

v1.17.6-2562

v1.17.6-2571

v1.17.6-2585

v1.17.7

v1.17.7-2648

v1.17.7-2653

v1.17.7-2670

v1.17.7-2695

v1.17.7-2705

v1.17.7-2710

v1.17.7-2766

v1.17.7-2782

v1.17.7-2785

v1.17.8-2829

v1.18.0

v1.18.0-2834

v1.18.0-2837

v1.18.0-2845

v1.18.0-2856

v1.18.0-2864

v1.18.0-2871

v1.18.0-2891

v1.18.0-2893

v1.18.0-2902

v1.18.1

v1.18.1-2924

v1.18.1-2928

v1.18.1-2953

v1.18.1-2957

v1.18.1-2961

v1.18.1-2963

v1.18.1-2969

v1.18.2

v1.18.2-3025

v1.18.2-3030

v1.18.3

v1.18.3-3057

v1.18.4

v1.18.4-3067

v1.18.5-3122

v1.18.5-3123

v1.18.5-3165

v1.18.5-3170

v1.18.5-3183

v1.18.5-3187

v1.19.0

v1.19.0-3227

v1.19.0-3228

v1.19.0-3239

v1.19.0-3243

v1.19.0-3276

v1.19.0-3290

v1.19.0-3292

v1.19.0-3294

v1.19.1

v1.19.1-3316

v1.19.1-3320

v1.19.1-3325

v1.19.1-3334

v1.19.1-3355

v1.19.1-3387

v1.19.1-3394

v1.19.1-3398

v1.19.2

v1.19.2-3426

v1.19.2-3431

v1.19.3

v1.19.3-3458

v1.19.3-3474

v1.19.3-3475

v1.19.3-3483

v1.19.3-3494

v1.19.3-3517

v1.19.3-3518

v1.19.3-3528

v1.19.3-3529

v1.19.3-3568

v1.19.3-3584

v1.19.3-3597

v1.19.3-3602

v1.19.3-3603

v1.19.3-3606

v1.19.3-3614

v1.19.3-3615

v1.19.3-3619

v1.19.3-3622

v1.19.3-3632

v1.19.3-3638

v1.19.3-3645

v1.19.3-3646

v1.19.3-3648

v1.19.3-3651

v1.19.3-3676

v1.19.3-3685

v1.19.3-3690

v1.19.4-3759

v1.19.4-3763

v1.19.5

v1.19.5-3765

v1.19.5-3796

v1.19.5-3797

v1.19.5-3798

v1.19.5-3859

v1.19.5-3864

v1.19.5-3900

v1.19.5-3903

v1.19.5-3905

v1.19.5-3906

v1.19.5-3911

v1.19.5-3915

v1.19.6-3948

v1.19.6-3949

v1.19.6-3954

v1.19.6-3955

v1.19.6-3960

v1.19.6-3961

v1.19.6-3968

v1.19.6-3969

v1.19.6-3974

v1.19.6-3979

v1.19.6-3984

v1.19.6-3985

v1.19.6-3989

v1.19.6-3990

v1.19.6-3994

v1.19.6-3999

v1.19.6-4000

v1.19.6-4003

v1.19.6-4004

v1.19.6-4016

v1.19.6-4019

v1.19.6-4023

v1.19.6-4027

v1.19.6-4037

v1.19.6-4038

v1.19.6-4040

v1.19.6-4041

v1.19.6-4045

v1.19.6-4046

v1.19.6-4050

v1.19.6-4056

v1.19.6-4060

v1.19.6-4061

v1.19.6-4065

v1.19.6-4066

v1.2.0

v1.20.0

v1.20.0-4069

v1.20.0-4071

v1.20.0-4072

v1.20.0-4076

v1.20.0-4077

v1.20.0-4083

v1.20.0-4088

v1.20.0-4095

v1.20.0-4104

v1.20.0-4105

v1.20.0-4107

v1.20.0-4115

v1.20.0-4125

v1.20.0-4126

v1.20.0-4127

v1.20.0-4131

v1.20.0-4132

v1.20.0-4153

v1.20.0-4157

v1.20.0-4161

v1.20.0-4164

v1.20.0-4177

v1.20.0-4180

v1.20.0-4183

v1.20.0-4187

v1.20.0-4191

v1.20.0-4198

v1.20.0-4212

v1.20.0-4214

v1.20.0-4218

v1.20.0-4219

v1.20.0-4222

v1.20.0-4223

v1.20.0-4224

v1.20.0-4229

v1.20.0-4230

v1.20.0-4231

v1.20.0-4238

v1.20.0-4249

v1.20.0-4250

v1.20.0-4255

v1.20.0-4256

v1.20.0-4262

v1.20.1-4353

v1.20.1-4362

v1.20.1-4368

v1.20.1-4372

v1.20.1-4377

v1.20.1-4378

v1.20.1-4383

v1.20.1-4385

v1.20.1-4395

v1.20.1-4400

v1.20.1-4404

v1.20.1-4405

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.6

v1.4.7

v1.5.0

v1.5.1

v1.6.0

v1.7.0

v1.7.1

v1.7.2

v1.7.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49828.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "13.1"
            },
            {
                "fixed": "13.5"
            }
        ]
    }
]