CVE-2025-3879

Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.

CVSS v3 6.6 MEDIUM

6.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.7 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://discuss.hashicorp.com/t/hcsec-2025-07-vault-s-azure-authentication-method-bound-location-restriction-could-be-bypassed-on-login/74716	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hashicorp:vault:::::enterprise:::*
	cpe:2.3:a:hashicorp:vault:::::-:::*
	cpe:2.3:a:hashicorp:vault:::::enterprise:::*
	cpe:2.3:a:hashicorp:vault:::::enterprise:::*
	cpe:2.3:a:hashicorp:vault:1.19.0::::enterprise:::

History

12 Aug 2025, 01:39

Type	Values Removed	Values Added
CPE		cpe:2.3:a:hashicorp:vault:::::-:::* cpe:2.3:a:hashicorp:vault:1.19.0::::enterprise::: cpe:2.3:a:hashicorp:vault:::::enterprise:::*
First Time		Hashicorp vault Hashicorp
References	~~() https://discuss.hashicorp.com/t/hcsec-2025-07-vault-s-azure-authentication-method-bound-location-restriction-could-be-bypassed-on-login/74716 -~~	() https://discuss.hashicorp.com/t/hcsec-2025-07-vault-s-azure-authentication-method-bound-location-restriction-could-be-bypassed-on-login/74716 - Vendor Advisory

05 May 2025, 20:54

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-02 17:15

Updated : 2025-08-12 01:39

NVD link : CVE-2025-3879

Mitre link : CVE-2025-3879

CVE.ORG link : CVE-2025-3879

JSON object : View

Products Affected

hashicorp

vault

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-3879", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@hashicorp.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-05-02T17:15:51.273", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2025-07-vault-s-azure-authentication-method-bound-location-restriction-could-be-bypassed-on-login/74716", "tags": ["Vendor Advisory"], "source": "security@hashicorp.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@hashicorp.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Vault Community, Vault Enterprise (\u201cVault\u201d) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18."}, {"lang": "es", "value": "El m\u00e9todo de autenticaci\u00f3n de Azure de Vault Community, Vault Enterprise (\"Vault\") no validaba correctamente las notificaciones en el token emitido por Azure, lo que pod\u00eda provocar la omisi\u00f3n del par\u00e1metro bound_locations al iniciar sesi\u00f3n. Corregido en Vault Community Edition 1.19.1 y Vault Enterprise 1.19.1, 1.18.7, 1.17.14 y 1.16.18."}], "lastModified": "2025-08-12T01:39:23.767", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "2124BD65-924A-4868-8995-4705B58F2BBD", "versionEndExcluding": "1.16.18", "versionStartIncluding": "0.10.0"}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "1D967CDF-3379-48AA-AABB-06BEF6ED749E", "versionEndExcluding": "1.19.1", "versionStartIncluding": "0.10.0"}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "35EC1DB4-8175-43BC-9B99-AEB931647724", "versionEndExcluding": "1.17.14", "versionStartIncluding": "1.17.0"}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "F88F6C83-988F-414A-B751-D16CF13C162E", "versionEndExcluding": "1.18.7", "versionStartIncluding": "1.18.0"}, {"criteria": "cpe:2.3:a:hashicorp:vault:1.19.0:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "44A51BC3-6E21-4A09-B8D3-DBA1A8F6DA0A"}], "operator": "OR"}]}], "sourceIdentifier": "security@hashicorp.com"}