A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/hashicorp/vault(Go) | 0 | 1.20.1 | N/A |
CVSS Metrics
