8 matches found
EUVD-2025-24033
Malicious code in bioql PyPI...
CVE-2025-55001 OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. Whe...
CVE-2025-55001 OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. Whe...
ROS-20250402-08
The vulnerability in HashiCorp's Vault and Vault Enterprise enterprise information archiving platforms is related to the fact that the application allows the use of entity aliases mapped to a single resource with the same alias name. Exploitation of the vulnerability could allow an attacker actin...
Vault Entity Alias Metadata May Leak Between Aliases With The Same Name Assigned To The Same Entity
Summary When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. This vulnerability,...
GHSA-PFMW-VJ74-PH8G HashiCorp Vault Incorrect Permission Assignment for Critical Resource
HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault...
Vault's Templated ACL Policies Matched First-Created Alias Per Entity and Auth Backend
Summary Vault and Vault Enterprise “Vault” templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. This vulnerability, CVE-2021-43998, was fixed...
Vault Merging Multiple Entity Aliases for the Same Mount May Allow Privilege Escalation
Summary A Vault or Vault Enterprise “Vault” user with write permission to an entity alias ID sharing a mount accessor with another user may acquire this other user’s policies by merging their identities. This vulnerability, CVE-2021-41802, was fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4...