CVE-2025-6013

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-6013

Severity

8.1

High

CVSS V3

Description

Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.

References

https://images.chainguard.dev/security/CGA-rpph-38rm-xgx5
https://github.com/advisories/GHSA-7rx2-769v-hrwf
https://images.chainguard.dev/security/CGA-7274-g9f6-rfqr
https://images.chainguard.dev/security/CGA-2c23-jfm8-gj59
https://images.chainguard.dev/security/CGA-qqcr-9h62-rxhv
https://images.chainguard.dev/security/CGA-hc2w-q7qx-q8gf
https://images.chainguard.dev/security/CGA-fwr9-5wfh-vq27
https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

The trusted source for open source

Talk to an expert

Privacy

Terms

CVE-2025-6013

Severity

Description

References

Affected packages

The trusted source for open source

Product

Solutions

Customers

Resources

Company