8.2

CVE-2020-16250

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..

Data is provided by the National Vulnerability Database (NVD)
HashicorpVault SwEdition- Version >= 0.7.1 < 1.2.5
HashicorpVault SwEditionenterprise Version >= 0.7.1 < 1.2.5
HashicorpVault SwEdition- Version >= 1.3.0 < 1.3.8
HashicorpVault SwEditionenterprise Version >= 1.3.0 < 1.3.8
HashicorpVault SwEdition- Version >= 1.4.0 < 1.4.4
HashicorpVault SwEditionenterprise Version >= 1.4.0 < 1.4.4
HashicorpVault SwEdition- Version >= 1.5.0 < 1.5.1
HashicorpVault SwEditionenterprise Version >= 1.5.0 < 1.5.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 1.39% 0.798
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.2 3.9 4.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.