---

CVE-2020-25594 - log back

CVE-2020-25594 edited at 11 Feb 2021 13:02:10
References	https://discuss.hashicorp.com/t/hcsec-2021-03-vault-api-endpoint-allowed-enumeration-of-secrets-engine-mount-paths-without-authentication/20336 https://github.com/hashicorp/vault/pull/10650 - https://github.com/hashicorp/vault/commit/131123918ae8e6ca1ffba4dd7ed32b04c2068dd3 + https://github.com/hashicorp/vault/commit/77eccdcd113a70b0768917533e5e114a8ddd7cca

CVE-2020-25594 edited at 01 Feb 2021 18:19:48
Severity	- Unknown + Low
Remote	- Unknown + Remote
Type	- Unknown + Information disclosure
Description	+ HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. This is fixed in versions 1.6.2 and 1.5.7.
References	+ https://discuss.hashicorp.com/t/hcsec-2021-03-vault-api-endpoint-allowed-enumeration-of-secrets-engine-mount-paths-without-authentication/20336 + https://github.com/hashicorp/vault/pull/10650 + https://github.com/hashicorp/vault/commit/131123918ae8e6ca1ffba4dd7ed32b04c2068dd3

CVE-2020-25594 created at 01 Feb 2021 18:14:35
Severity	+ Unknown
Remote	+ Unknown
Type	+ Unknown
Description
References
Notes