HashiCorp’s Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Alpine | edge-community | noarch | vault | < 1.14.0-r0 | UNKNOWN |