CVE-2020-16250: Authentication Bypass by Spoofing

August 2, 2021

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..

References

github.com/advisories/GHSA-fp52-qw33-mfmw
github.com/hashicorp/vault/blob/master/CHANGELOG.md
nvd.nist.gov/vuln/detail/CVE-2020-16250

Detect and mitigate CVE-2020-16250 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →