We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-49828

Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) Vulnerable to Remote Code Execution



Description

Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.4.1 are vulnerable to remote code execution An authenticated attacker who can inject secrets or templates into the Secrets Manager, Self-Hosted database could take advantage of an exposed API endpoint to execute arbitrary Ruby code within the Secrets Manager process. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.21.2 and Secrets Manager, Self-Hosted version 13.5 fix the issue.

Reserved 2025-06-11 | Published 2025-07-15 | Updated 2025-07-15 | Assigner GitHub_M


HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

Product status

Conjur OSS >= 1.20.1, < 1.21.2
affected

Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) >= 13.1, < 13.5
affected

References

github.com/...conjur/security/advisories/GHSA-93hx-v9pv-qrm4

github.com/cyberark/conjur/releases/tag/v1.21.2

cve.org (CVE-2025-49828)

nvd.nist.gov (CVE-2025-49828)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-49828

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.