CVE-2025-6013 | THREATINT

Description

Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.

PUBLISHED Reserved 2025-06-11 | Published 2025-08-06 | Updated 2026-02-26 | Assigner HashiCorp

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-156: Improper Neutralization of Whitespace

Product status

Default status

unaffected

1.10.0 (semver) before 1.20.2

affected

Default status

unaffected

1.10.0 (semver) before 1.20.2

affected

References

discuss.hashicorp.com/...-when-using-username-as-alias/76092

cve.org (CVE-2025-6013)

nvd.nist.gov (CVE-2025-6013)

Download JSON

help @ threatint.eu