Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-4166

Опубликовано: 02 мая 2025
Источник: redhat
CVSS3: 4.5
EPSS Низкий

Описание

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

A flaw was found in the Hashicorp Vault component. Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. When creating or updating secrets using the KV v2 plugin through the REST API, Vault inadvertently logged the value of the secret when an error occurred in the server logs and audit logs. The inadvertent logging only affected operations if a payload was sent incorrectly, such as improperly formatted JSON. Normal operations through the UI or CLI are unaffected.

Меры по смягчению последствий

Customers with the capability to search through server and audit logs for any possible exposed secrets can refer to the following snippets to aid in searching. More information on viewing audit and server logs can be found at: https://developer.hashicorp.com/vault/tutorials/monitoring/troubleshooting-vault#vault-logs

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Openshift Data Foundation 4odf4/cephcsi-rhel9Fix deferred
Red Hat Openshift Data Foundation 4odf4/mcg-cli-rhel9Fix deferred
Red Hat Openshift Data Foundation 4odf4/mcg-rhel9-operatorFix deferred
Red Hat Openshift Data Foundation 4odf4/odf-cli-rhel9Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-209
https://bugzilla.redhat.com/show_bug.cgi?id=2363669vault: Vault May Include Sensitive Data in Error Logs When Using the KV v2 Plugin

EPSS

Процентиль: 35%
0.00146
Низкий

4.5 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-4166

CVSS3: 4.5
nvd
11 месяцев назад

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

github логотип

GHSA-gcqf-f89c-68hv

CVSS3: 4.5
github
11 месяцев назад

Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information

fstec логотип

BDU:2025-06973

CVSS3: 4.5
fstec
11 месяцев назад

Уязвимость плагина KVv2 платформ для архивирования корпоративной информации Vault Community Edition и Vault Enterprise, позволяющая нарушителю получить несанкциоинрованный доступ к защищаемой информации

redos логотип

ROS-20250616-10

CVSS3: 4.5
redos
10 месяцев назад

Уязвимость vault

EPSS

Процентиль: 35%
0.00146
Низкий

4.5 Medium

CVSS3