8.8

CVE-2025-3879

Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login

Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HashicorpVault SwEditionenterprise Version >= 0.10.0 < 1.16.18
HashicorpVault SwEdition- Version >= 0.10.0 < 1.19.1
HashicorpVault SwEditionenterprise Version >= 1.17.0 < 1.17.14
HashicorpVault SwEditionenterprise Version >= 1.18.0 < 1.18.7
HashicorpVault Version1.19.0 SwEditionenterprise
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.23% 0.453
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@hashicorp.com 6.6 0.7 5.9
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.