CVE-2020-25594 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Low
Remote	Yes
Type	Information disclosure
Description	HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. This is fixed in versions 1.6.2 and 1.5.7.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1368	vault	1.5.5-1	1.5.7-1	Medium	Fixed	FS#69015

References
https://discuss.hashicorp.com/t/hcsec-2021-03-vault-api-endpoint-allowed-enumeration-of-secrets-engine-mount-paths-without-authentication/20336 https://github.com/hashicorp/vault/pull/10650 https://github.com/hashicorp/vault/commit/77eccdcd113a70b0768917533e5e114a8ddd7cca

References

https://discuss.hashicorp.com/t/hcsec-2021-03-vault-api-endpoint-allowed-enumeration-of-secrets-engine-mount-paths-without-authentication/20336
https://github.com/hashicorp/vault/pull/10650
https://github.com/hashicorp/vault/commit/77eccdcd113a70b0768917533e5e114a8ddd7cca