Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN731
_____________________________________________________________________

DATE                : 24/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Vault Community Edition versions
                                  prior to 1.21.0,
               Vault Enterprise versions prior to 1.21.0, 1.20.5,
                              1.19.11, 1.16.27.

=====================================================================
https://discuss.hashicorp.com/t/hcsec-2025-31-vault-vulnerable-to-denial-of-service-due-to-rate-limit-regression/76710
https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709
_____________________________________________________________________


Bulletin ID: HCSEC-2025-31
Affected Products / Versions: Vault Community Edition 1.20.3 to 1.20.4;
fixed in 1.21.0.

Vault Enterprise 1.20.3 to 1.20.4, 1.19.9 to 1.19.10, 1.18.14 to
1.18.15, 1.16.25 to 1.16.26; fixed in 1.21.0, 1.20.5, 1.19.11, and
1.16.27

Publication Date: October 23, 2025


Summary
Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated
denial of service when processing JSON payloads. This occurs due to a
regression from a previous fix for HCSEC-2025-24 which allowed for
processing JSON payloads before applying rate limits. This
vulnerability, CVE-2025-12044, is fixed in Vault Community Edition
1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0.


Background
Vault allows operators to configure tunable rate limits and other resource
quotas. Due to a regression from the HCSEC-2025-24 fix, rate limits were
applied after JSON payload processing rather than before, enabling resource
exhaustion.


Details
Every request in Vault is subject to configurable rate limits. In
HCSEC-2025-24, Vault fixed processing complex JSON payloads which may exhaust
underlying resources depending on the payload. In affected versions, Vault
accepted large but valid JSON requests below the max_request_size threshold.
Because rate limiting occurred post-parse, repeated payloads could consume
CPU and memory resources, resulting in service unavailability or crashes.


Remediation
Customers should evaluate the risk associated with this issue and consider
upgrading to Vault Community Edition 1.21.0 or Vault Enterprise 1.21.0,
1.19.11, and 1.16.27. Please refer to Upgrading Vault for general guidance.


Acknowledgement
This issue was identified by Toni Tauro of Adfinis AG.

We deeply appreciate any effort to coordinate disclosure of security
vulnerabilities. For information about security at HashiCorp and the
reporting of security vulnerabilities, please see
https://hashicorp.com/security.

_____________________________________________________________________

 HCSEC-2025-30 - Vault AWS Auth Method Authentication Bypass Through
Mishandling of Cache Entries
Security
security-vault


Bulletin ID: HCSEC-2025-30
Affected Products / Versions: Vault Community Edition 0.6.0 up to
1.20.4, fixed in 1.21.0.
Vault Enterprise 0.6.0 up to 1.20.4, 1.19.10, 1.18.15, and 1.16.26.
fixed in 1.21.0, 1.20.5, 1.19.11, and 1.16.27.

Publication Date: October 23, 2025

Summary
Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be
susceptible to authentication bypass if the role of the configured
bound_principal_iam is the same across AWS accounts, or uses a
wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault
Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5,
1.19.11, and 1.16.27.


Background
Vault’s AWS auth method provides an automated mechanism to retrieve
a Vault token for IAM principals and AWS EC2 instances. The logic
checks for the STS role’s existence in AWS utilizing the default
account. However, since this check does not validate the accountID,
an attacker can bypass this logic.


Details
Vault’s AWS Auth method maintains a cache of active AWS clients, but
this cache did not validate the account ID when querying the cache.
If accountID metadata is solely referenced in the bound_principal_arn
with wildcards and a user has an active session, an attacker with an
identical role name (or one that collides based on the wildcards)
within a different account can authenticate. This can lead to
sensitive data exposure and potential opportunities for additional
privilege escalation.

A similar issue exists within Vault’s EC2 authentication method,
where the corresponding cache lookup validates only ami_id but not
the account ID. This may allow for cross-account privilege
escalation, where an attacker can bypass intended authorization
controls by authenticating from a different account.


Remediation
Customers using Vault should evaluate the risk associated with this
issue and consider upgrading to Vault Community Edition 1.21.0 or
Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27.

See Vault’s Upgrading documentation for general guidance on this
process.


Acknowledgement
This issue was identified by Pavlos Karakalidis who reported it to
HashiCorp.

We deeply appreciate any effort to coordinate disclosure of
security vulnerabilities. For information about security at
HashiCorp and the reporting of security vulnerabilities, please
see https://hashicorp.com/security.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================