Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-35177 (Medium) detected in github.com/hashicorp/vault-v1.3.1 #2547

Closed
mend-bolt-for-github bot opened this issue Jan 25, 2022 · 2 comments
Closed

CVE-2020-35177 (Medium) detected in github.com/hashicorp/vault-v1.3.1 #2547

mend-bolt-for-github bot opened this issue Jan 25, 2022 · 2 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource stale All issues that are marked as stale due to inactivity

Comments

@mend-bolt-for-github
Copy link
Contributor

mend-bolt-for-github bot commented Jan 25, 2022
edited
Loading

CVE-2020-35177 - Medium Severity Vulnerability

Vulnerable Library - github.com/hashicorp/vault-v1.3.1

A tool for secrets management, encryption as a service, and privileged access management

Dependency Hierarchy:

  • github.com/hashicorp/vault-v1.3.1 (Vulnerable Library)

Found in HEAD commit: 4213ed86dc859b83c4f126853835fab3dc987b5d

Found in base branch: main

Vulnerability Details

HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.

Publish Date: 2020-12-17

URL: CVE-2020-35177

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://discuss.hashicorp.com/t/hcsec-2020-25-vault-s-ldap-auth-method-allows-user-enumeration/18984

Release Date: 2020-12-17

Fix Resolution: v1.5.6, v1.6.1

Step up your Open Source Security Game with WhiteSource here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Jan 25, 2022
@mend-bolt-for-github mend-bolt-for-github bot changed the title CVE-2020-35177 (Medium) detected in github.com/hashicorp/vault-v1.3.0 CVE-2020-35177 (Medium) detected in github.com/hashicorp/vault-v1.3.1 Jan 26, 2022
RamCohen added a commit to RamCohen/keda that referenced this issue Feb 25, 2022
@RamCohen
Update hashicorp vault api version to 1.4.0
530d33f 
Fixes kedacore#2519 kedacore#2520 kedacore#2521 kedacore#2522 kedacore#2523 kedacore#2524 kedacore#2525 kedacore#2526 kedacore#2527 kedacore#2528 kedacore#2530 kedacore#2531 kedacore#2532 kedacore#2534 kedacore#2537 kedacore#2538 kedacore#2539 kedacore#2540 kedacore#2543 kedacore#2546 kedacore#2547 kedacore#2549 kedacore#2550 kedacore#2551 kedacore#2552 kedacore#2553 kedacore#2554 kedacore#2555 kedacore#2556 kedacore#2557

Signed-off-by: Ram Cohen <ram.cohen@gmail.com>
@RamCohen RamCohen mentioned this issue Feb 25, 2022
Closed
@stale
Copy link

stale bot commented Mar 27, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale All issues that are marked as stale due to inactivity label Mar 27, 2022
@stale
Copy link

stale bot commented Apr 3, 2022

This issue has been automatically closed due to inactivity.

@stale stale bot closed this as completed Apr 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource stale All issues that are marked as stale due to inactivity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants