Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-6011

Опубликовано: 01 авг. 2025
Источник: redhat
CVSS3: 3.7
EPSS Низкий

Описание

A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
cert-manager Operator for Red Hat OpenShiftcert-manager/cert-manager-operator-rhel9Fix deferred
cert-manager Operator for Red Hat OpenShiftcert-manager/jetstack-cert-manager-acmesolver-rhel9Fix deferred
cert-manager Operator for Red Hat OpenShiftcert-manager/jetstack-cert-manager-rhel9Fix deferred
external secrets operator for Red Hat OpenShift - Tech Previewexternal-secrets-operator/external-secrets-operator-rhel9Fix deferred
Red Hat Openshift Data Foundation 4odf4/cephcsi-rhel9Will not fix
Red Hat Openshift Data Foundation 4odf4/mcg-cli-rhel9Will not fix
Red Hat Openshift Data Foundation 4odf4/mcg-rhel9-operatorWill not fix
Red Hat Openshift Data Foundation 4odf4/odf-cli-rhel9Will not fix
Red Hat Trusted Artifact Signerrhtas/client-server-rhel9Will not fix
Red Hat Trusted Artifact Signerrhtas/fulcio-rhel9Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-203
https://bugzilla.redhat.com/show_bug.cgi?id=2386025github.com/hashicorp/vault: Vault Userpass Authentication Timing Vulnerability

EPSS

Процентиль: 6%
0.00028
Низкий

3.7 Low

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-6011

CVSS3: 3.7
nvd
5 дней назад

A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

github логотип

GHSA-mwgr-84fv-3jh9

CVSS3: 3.7
github
5 дней назад

Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users

EPSS

Процентиль: 6%
0.00028
Низкий

3.7 Low

CVSS3