Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-6014

Опубликовано: 01 авг. 2025
Источник: redhat
CVSS3: 6.5
EPSS Низкий

Описание

Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

A flaw was found in github.com/hashicorp/vault. The Time-based One-Time Password Secrets Engine's (TOTP) validation endpoint allows code reuse during its validity period, enabling a remote attacker to potentially leverage existing, valid TOTP secrets. This vulnerability allows an attacker to authenticate as a user without providing a valid TOTP code, resulting in unauthorized access to resources protected by the TOTP Secrets Engine.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
cert-manager Operator for Red Hat OpenShiftcert-manager/cert-manager-operator-rhel9Fix deferred
cert-manager Operator for Red Hat OpenShiftcert-manager/jetstack-cert-manager-acmesolver-rhel9Fix deferred
cert-manager Operator for Red Hat OpenShiftcert-manager/jetstack-cert-manager-rhel9Fix deferred
external secrets operator for Red Hat OpenShift - Tech Previewexternal-secrets-operator/external-secrets-operator-rhel9Fix deferred
Red Hat Openshift Data Foundation 4odf4/cephcsi-rhel9Will not fix
Red Hat Openshift Data Foundation 4odf4/mcg-cli-rhel9Will not fix
Red Hat Openshift Data Foundation 4odf4/mcg-rhel9-operatorWill not fix
Red Hat Openshift Data Foundation 4odf4/odf-cli-rhel9Will not fix
Red Hat Trusted Artifact Signerrhtas/client-server-rhel9Will not fix
Red Hat Trusted Artifact Signerrhtas/fulcio-rhel9Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-156
https://bugzilla.redhat.com/show_bug.cgi?id=2386004github.com/hashicorp/vault: Vault TOTP Secrets Engine Code Reuse

EPSS

Процентиль: 6%
0.00025
Низкий

6.5 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-6014

CVSS3: 6.5
nvd
5 месяцев назад

Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

github логотип

GHSA-qv3p-fmv3-9hww

CVSS3: 6.5
github
5 месяцев назад

Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse

fstec логотип

BDU:2025-11261

CVSS3: 6.5
fstec
5 месяцев назад

Уязвимость платформ для архивирования корпоративной информации Vault Enterprise и Vault Community Edition, связанная с неправильной аутентификацией, позволяющая нарушителю обойти аутентификацию TOTP

redos логотип

ROS-20250905-07

CVSS3: 9.1
redos
3 месяца назад

Множественные уязвимости vault

EPSS

Процентиль: 6%
0.00025
Низкий

6.5 Medium

CVSS3