CVE-2020-25594 log

Source
Severity Low
Remote Yes
Type Information disclosure
Description
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. This is fixed in versions 1.6.2 and 1.5.7.
Group Package Affected Fixed Severity Status Ticket
AVG-1368 vault 1.5.5-1 1.5.7-1 Medium Fixed FS#69015
References
https://discuss.hashicorp.com/t/hcsec-2021-03-vault-api-endpoint-allowed-enumeration-of-secrets-engine-mount-paths-without-authentication/20336
https://github.com/hashicorp/vault/pull/10650
https://github.com/hashicorp/vault/commit/77eccdcd113a70b0768917533e5e114a8ddd7cca