SUSE CVE-2025-6004

Vault and Vault Enterprise's “Vault” user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...

EUVD-2025-23396

Malicious code in bioql PyPI...

EUVD-2025-23395

Malicious code in bioql PyPI...

Timing Side-channel Attacks

github.com/hashicorp/vault is vulnerable to Timing side-channel Attacks. The vulnerability is due to differences in response timing in the Userpass auth method, which allows an attacker to distinguish between valid and invalid usernames and potentially enumerate existing accounts...

SUSE CVE-2025-54998

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by...

CVE-2025-54999

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users an...

Brute Force

Overview Affected versions of this package are vulnerable to Brute Force via the authentication process in the Userpass or LDAP systems. An attacker can circumvent intended user lockout protections by exploiting differences in user entity alias attribution between pre-flight and full login...

Brute Force

Overview Affected versions of this package are vulnerable to Brute Force via the authentication process in the Userpass or LDAP systems. An attacker can circumvent intended user lockout protections by exploiting differences in user entity alias attribution between pre-flight and full login...

PT-2025-32381 · Openbao · Openbao

Name of the Vulnerable Software and Affected Versions: OpenBao versions 0.1.0 through 2.3.1 Description: OpenBao is a software solution designed for managing, storing, and distributing sensitive data, including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, user enumeration was...

CVE-2025-6011

A flaw was found in github.com/hashicorp/vault. The Userpass authentication method exhibits a timing vulnerability, allowing an attacker to determine whether a username exists within Vault by measuring response times, and enables potential enumeration of valid usernames. This vulnerability allows...

BIT-VAULT-2025-6011 Timing Side-Channel in Vault’s Userpass Auth Method

A timing side channel in Vault and Vault Enterprise’s “Vault” userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise...

GHSA-MWGR-84FV-3JH9 Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users

A timing side channel in Vault and Vault Enterprise’s “Vault” userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise...

CVE-2025-6004

Vault and Vault Enterprise’s “Vault” user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...

CVE-2025-6004

Vault and Vault Enterprise’s “Vault” user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...

CVE-2025-6004 Vault Userpass and LDAP User Lockout Bypass

Vault and Vault Enterprise’s “Vault” user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...

PT-2025-31679

Name of the Vulnerable Software and Affected Versions Vault versions prior to 1.20.1 Vault Enterprise versions prior to 1.20.1 Vault Enterprise version 1.19.7 Vault Enterprise version 1.18.12 Vault Enterprise version 1.16.23 Description A timing side channel in the userpass authentication method...

Observable Discrepancy

Overview Affected versions of this package are vulnerable to Observable Discrepancy via userpass auth method. An attacker can enumerate valid usernames on this auth method through brute force or a list of known usernames. Workaround This issue can be partially mitigated by using rate-limit quotas...