We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-49831

Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) vulnerable to IAM Authenticator Bypass via Mis-configured Network Device



Description

An attacker of Secrets Manager, Self-Hosted installations that route traffic from Secrets Manager to AWS through a misconfigured network device can reroute authentication requests to a malicious server under the attacker’s control. CyberArk believes there to be very few installations where this issue can be actively exploited, though Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1 may be affected. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.

Reserved 2025-06-11 | Published 2025-07-15 | Updated 2025-07-15 | Assigner GitHub_M


CRITICAL: 9.1CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-287: Improper Authentication

Product status

Conjur OSS < 1.22.1
affected

Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) < 13.5.1
affected

Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) = 13.6
affected

References

github.com/...conjur/security/advisories/GHSA-952q-mjrf-wp5j

github.com/cyberark/conjur/releases/tag/v1.22.1

cve.org (CVE-2025-49831)

nvd.nist.gov (CVE-2025-49831)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-49831

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.