Описание
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.
Меры по смягчению последствий
Customers with the capability to search through server and audit logs for any possible exposed secrets can refer to the following snippets to aid in searching. More information on viewing audit and server logs can be found at: https://developer.hashicorp.com/vault/tutorials/monitoring/troubleshooting-vault#vault-logs
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Openshift Data Foundation 4 | odf4/cephcsi-rhel9 | Fix deferred | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-cli-rhel9 | Fix deferred | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-rhel9-operator | Fix deferred | ||
| Red Hat Openshift Data Foundation 4 | odf4/odf-cli-rhel9 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
4.5 Medium
CVSS3
Связанные уязвимости
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.
Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information
EPSS
4.5 Medium
CVSS3