GHSA-f9ch-h8j7-8jwg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f9ch-h8j7-8jwg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-f9ch-h8j7-8jwg/GHSA-f9ch-h8j7-8jwg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f9ch-h8j7-8jwg
- Aliases
-
- BIT-vault-2025-3879
- CVE-2025-3879
- GO-2025-3662
- Published
- 2025-05-02T18:31:38Z
- Modified
- 2025-05-07T06:27:15.333758Z
- Severity
-
- 6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Hashicorp Vault Community vulnerable to Incorrect Authorization
- Details
-
Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.
- Database specific
{ "nvd_published_at": "2025-05-02T17:15:51Z", "cwe_ids": [ "CWE-863" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-05-02T19:32:37Z" }- References
Affected packages
Go / github.com/hashicorp/vault
Package
- Name
- github.com/hashicorp/vault
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/hashicorp/vault