Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-6015

Опубликовано: 01 авг. 2025
Источник: redhat
CVSS3: 5.7
EPSS Низкий

Описание

Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

A flaw was found in github.com/hashicorp/vault. The Time-based One-Time Password (TOTP) rate-limiting mechanism can be bypassed, allowing the reuse of TOTP tokens. This vulnerability allows a remote attacker to trigger authentication attempts. Successful exploitation can lead to the repeated use of TOTP tokens during authentication, resulting in unauthorized access.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
cert-manager Operator for Red Hat OpenShiftcert-manager/cert-manager-operator-rhel9Fix deferred
cert-manager Operator for Red Hat OpenShiftcert-manager/jetstack-cert-manager-acmesolver-rhel9Fix deferred
cert-manager Operator for Red Hat OpenShiftcert-manager/jetstack-cert-manager-rhel9Fix deferred
external secrets operator for Red Hat OpenShift - Tech Previewexternal-secrets-operator/external-secrets-operator-rhel9Fix deferred
Red Hat Openshift Data Foundation 4odf4/cephcsi-rhel9Will not fix
Red Hat Openshift Data Foundation 4odf4/mcg-cli-rhel9Will not fix
Red Hat Openshift Data Foundation 4odf4/mcg-rhel9-operatorWill not fix
Red Hat Openshift Data Foundation 4odf4/odf-cli-rhel9Will not fix
Red Hat Trusted Artifact Signerrhtas/client-server-rhel9Will not fix
Red Hat Trusted Artifact Signerrhtas/fulcio-rhel9Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-307
https://bugzilla.redhat.com/show_bug.cgi?id=2386029github.com/hashicorp/vault: Vault TOTP Rate Limit Bypass

EPSS

Процентиль: 5%
0.00023
Низкий

5.7 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-6015

CVSS3: 5.7
nvd
5 месяцев назад

Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

github логотип

GHSA-v6r4-35f9-9rpw

CVSS3: 5.7
github
5 месяцев назад

Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability

fstec логотип

BDU:2025-11260

CVSS3: 5.7
fstec
5 месяцев назад

Уязвимость механизма блокировки пользователя платформ для архивирования корпоративной информации Vault Enterprise и Vault Community Edition, позволяющая нарушителю обойти существующие ограничения безопасности

redos логотип

ROS-20250905-07

CVSS3: 9.1
redos
3 месяца назад

Множественные уязвимости vault

EPSS

Процентиль: 5%
0.00023
Низкий

5.7 Medium

CVSS3

Уязвимость CVE-2025-6015