All errata/sisyphus/ALT-PU-2025-7579-3
ALT-PU-2025-7579-3

Package update vault in branch sisyphus

Version1.19.5-alt1
Task#385729
Published2026-03-07
Max severityHIGH
Severity:

Closed issues (15)

BDU:2024-07431
MEDIUM6.5

Уязвимость платформ для архивирования корпоративной информации HashiCorp Vault и Vault Enterprise, связанная с вставкой конфиденциальной информации в файл журнала, позволяющая нарушителю получить доступ к конфиденциальной информации

Published: 2024-09-24
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N
References
BDU:2025-06973
MEDIUM4.5

Уязвимость плагина KVv2 платформ для архивирования корпоративной информации Vault Community Edition и Vault Enterprise, позволяющая нарушителю получить несанкциоинрованный доступ к защищаемой информации

Published: 2025-06-19
CVSS 3.xMEDIUM 4.5
CVSS:3.x/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N
References
BDU:2025-08559
MEDIUM6.6

Уязвимость компонента Azure Auth платформы для архивирования корпоративной информации Vault Enterprise, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2025-07-16
CVSS 3.xMEDIUM 6.6
CVSS:3.x/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0HIGH 7.1
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:C/A:C
References
BDU:2025-08603
HIGH7.5

Уязвимость платформ для архивирования корпоративной информации HashiCorp Vault и Vault Enterprise, связанная с неправильным назначением разрешений для критического ресурса, позволяющая нарушителю обойти процесс аутентификации

Published: 2025-07-17
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0HIGH 7.1
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:C/A:C
References
BDU:2025-10836
HIGH7.5

Уязвимость платформ для архивирования корпоративной информации HashiCorp Vault и Vault Enterprise, связанная с неправильной аутентификацией, позволяющая нарушителю обойти существующие ограничения безопасности

Published: 2025-09-08
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:C/A:N
References
CVE-2024-5798
HIGH7.5

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected. This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9

Published: 2024-06-12Modified: 2025-11-04
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References
CVE-2024-7594
HIGH8.8

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.

Published: 2024-09-26Modified: 2025-11-13
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
CVE-2024-8365
MEDIUM6.5

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

Published: 2024-09-02Modified: 2024-09-04
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
References
CVE-2025-3879
HIGH8.8

Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.

Published: 2025-05-02Modified: 2025-08-12
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
CVE-2025-4166
MEDIUM6.5

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

Published: 2025-05-02Modified: 2025-12-31
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
References
GHSA-gcqf-f89c-68hv
MEDIUM4.5

Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information

Published: 2025-05-02Modified: 2025-05-06
CVSS 3.xMEDIUM 4.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
References
GHSA-jg74-mwgw-v6x3
HIGH7.7

Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default

Published: 2024-09-27Modified: 2025-08-12
CVSS 3.xHIGH 7.7
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0HIGH 7.7
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References
GHSA-jjxf-26c9-77gm
MEDIUM6.0

Vault Leaks Client Token and Token Accessor in Audit Devices

Published: 2024-09-02Modified: 2024-09-07
CVSS 3.xMEDIUM 6.0
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS 4.0MEDIUM 6.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
References