HCSEC-2021-03 - Vault API Endpoint Allowed Enumeration of Secrets Engine Mount Paths Without Authentication

Bulletin ID: HCSEC-2021-03
Affected Products / Versions: Vault and Vault Enterprise, all prior versions; fixed in 1.6.2 & 1.5.7.
Publication Date: 29 January, 2021

Vault and Vault Enterprise (“Vault”) allowed the enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. This vulnerability, CVE-2020-25594, was fixed in Vault 1.6.2 & 1.5.7.

Vault operators are able to mount Secrets Engines at customizable paths. Secrets engines are components which store, generate, or encrypt data.

An external party reported that they were able to enumerate legitimate Secrets Engines mount paths by brute forcing Vault’s API with unauthenticated HTTP requests.

Note that knowledge of the existence of a Secrets Engine mount is not critical to the Vault security model, but this is considered unnecessary information disclosure.

Customers should evaluate the risk associated with this issue and consider upgrading to Vault or Vault Enterprise 1.6.2, 1.5.7 or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

This issue was identified by Toyota Connected who reported it to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.