CVE-2020-35177: Generation of Error Message Containing Sensitive Information

January 31, 2024

HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.

References

discuss.hashicorp.com/t/hcsec-2020-25-vault-s-ldap-auth-method-allows-user-enumeration/18984
github.com/advisories/GHSA-rpgp-9hmg-j25x
github.com/hashicorp/vault/blob/master/CHANGELOG.md
github.com/hashicorp/vault/pull/10537
nvd.nist.gov/vuln/detail/CVE-2020-35177

Detect and mitigate CVE-2020-35177 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →