{ "threat_severity" : "Important", "public_date" : "2025-10-23T19:08:54Z", "bugzilla" : { "description" : "github.com/hashicorp/vault: Vault AWS auth method bypass due to AWS client cache", "id" : "2406096", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2406096" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-288", "details" : [ "Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27", "An authentication bypass flaw has been discovered in Hashicorp's vault product. Vault's AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard." ], "affected_release" : [ { "product_name" : "Red Hat OpenShift Pipelines 1.2", "release_date" : "2026-03-05T00:00:00Z", "advisory" : "RHSA-2026:3827", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.20::el9", "package" : "openshift-pipelines/pipelines-cli-tkn-rhel9:sha256:05d553e2c0d86956b32281aa6ae7ffa1948073f753889007f041eb2a72cbfa91" }, { "product_name" : "Red Hat Trusted Artifact Signer 1.3", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21976", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1.3::el9", "package" : "rhtas/fulcio-rhel9:sha256:b19900ebbf9cac67196127a60ea2434a8ce2011b17bab15a0e7fc96cf38a63fa" }, { "product_name" : "Red Hat Trusted Artifact Signer 1.3", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21981", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1.3::el9", "package" : "rhtas/rekor-cli-rhel9:sha256:3782ef36eac0a40b3b8d018476d0af7505d2a81f0ccb993644e8c5f20f1cd566" }, { "product_name" : "Red Hat Trusted Artifact Signer 1.3", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21981", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1.3::el9", "package" : "rhtas/rekor-server-rhel9:sha256:799b0b86f83f0fdf450ecbd2726419570b15f6ec5ba5b814750d45b8269e4dac" }, { "product_name" : "Red Hat Trusted Artifact Signer 1.3", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21984", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1.3::el9", "package" : "rhtas/timestamp-authority-rhel9:sha256:7b3eb9108c50321278ccad2032b3fb365911df83084cca953dd068cdd51f7874" }, { "product_name" : "Red Hat Trusted Artifact Signer 1.3", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21988", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1.3::el9", "package" : "rhtas/client-server-rhel9:sha256:cddda466bc9957f1c3902da3a0cf37ef3ec08f4aeb8c50a421405540120b75cf" }, { "product_name" : "Red Hat Trusted Artifact Signer 1.3", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21988", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1.3::el9", "package" : "rhtas/cosign-rhel9:sha256:a6f3dba2c7ec8cdf7a87a2e8679da66c2248b44c7e15611205f096a6c1629f88" }, { "product_name" : "Red Hat Trusted Artifact Signer 1.3", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21988", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1.3::el9", "package" : "rhtas/gitsign-rhel9:sha256:882d508ec7d71fb3e13ee240ee295ee91884700d63029bb58bd456b6d23fd5e0" }, { "product_name" : "Red Hat Trusted Artifact Signer 1.3", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22058", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1.3::el9", "package" : "rhtas/policy-controller-rhel9:sha256:7172d6a08594cccd155c2f74110cfbafadb812af84bb6b75c8bec1e3c416bd26" } ], "package_state" : [ { "product_name" : "cert-manager Operator for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "cert-manager/cert-manager-istio-csr-rhel9", "cpe" : "cpe:/a:redhat:cert_manager:1" }, { "product_name" : "cert-manager Operator for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "cert-manager/cert-manager-operator-bundle", "cpe" : "cpe:/a:redhat:cert_manager:1" }, { "product_name" : "cert-manager Operator for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "cert-manager/cert-manager-operator-rhel9", "cpe" : "cpe:/a:redhat:cert_manager:1" }, { "product_name" : "cert-manager Operator for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "cert-manager/jetstack-cert-manager-acmesolver-rhel9", "cpe" : "cpe:/a:redhat:cert_manager:1" }, { "product_name" : "cert-manager Operator for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "cert-manager/jetstack-cert-manager-rhel9", "cpe" : "cpe:/a:redhat:cert_manager:1" }, { "product_name" : "Custom Metric Autoscaler operator for Red Hat Openshift", "fix_state" : "Not affected", "package_name" : "custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9", "cpe" : "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2" }, { "product_name" : "Custom Metric Autoscaler operator for Red Hat Openshift", "fix_state" : "Not affected", "package_name" : "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9", "cpe" : "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2" }, { "product_name" : "Custom Metric Autoscaler operator for Red Hat Openshift", "fix_state" : "Not affected", "package_name" : "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9", "cpe" : "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2" }, { "product_name" : "Custom Metric Autoscaler operator for Red Hat Openshift", "fix_state" : "Not affected", "package_name" : "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2" }, { "product_name" : "External Secrets Operator for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "external-secrets-operator/external-secrets-operator-rhel9", "cpe" : "cpe:/a:redhat:external_secrets_operator:1" }, { "product_name" : "External Secrets Operator for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "external-secrets-operator/external-secrets-rhel9", "cpe" : "cpe:/a:redhat:external_secrets_operator:1" }, { "product_name" : "external secrets operator for Red Hat OpenShift - Tech Preview", "fix_state" : "Not affected", "package_name" : "external-secrets-operator/external-secrets-operator-rhel9", "cpe" : "cpe:/a:redhat:external_secrets_operator:0" }, { "product_name" : "external secrets operator for Red Hat OpenShift - Tech Preview", "fix_state" : "Not affected", "package_name" : "external-secrets-operator/external-secrets-rhel9", "cpe" : "cpe:/a:redhat:external_secrets_operator:0" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/oc-mirror-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-baremetal-installer-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-installer-altinfra-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-installer-artifacts-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-installer-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-kube-state-metrics-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Not affected", "package_name" : "odf4/cephcsi-rhel9", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "odf4/mcg-cli-rhel9", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "odf4/mcg-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "odf4/ocs-metrics-exporter-rhel9", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Not affected", "package_name" : "odf4/ocs-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "odf4/odf-cli-rhel9", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Not affected", "package_name" : "odf4/odf-multicluster-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Not affected", "package_name" : "odf4/odf-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "odf4/rook-ceph-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat OpenStack Platform 18.0", "fix_state" : "Not affected", "package_name" : "rhoso-operators/openstack-operator-bundle", "cpe" : "cpe:/a:redhat:openstack:18.0" }, { "product_name" : "Red Hat OpenStack Platform 18.0", "fix_state" : "Not affected", "package_name" : "rhoso-operators/openstack-rhel9-operator", "cpe" : "cpe:/a:redhat:openstack:18.0" }, { "product_name" : "Red Hat Trusted Artifact Signer", "fix_state" : "Affected", "package_name" : "rhtas/rekor-backfill-redis-rhel9", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1" }, { "product_name" : "Zero Trust Workload Identity Manager - Tech Preview", "fix_state" : "Will not fix", "package_name" : "zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9", "cpe" : "cpe:/a:redhat:zero_trust_workload_identity_manager:0" }, { "product_name" : "Zero Trust Workload Identity Manager - Tech Preview", "fix_state" : "Affected", "package_name" : "zero-trust-workload-identity-manager/spiffe-spire-oidc-discovery-provider-rhel9", "cpe" : "cpe:/a:redhat:zero_trust_workload_identity_manager:0" }, { "product_name" : "Zero Trust Workload Identity Manager - Tech Preview", "fix_state" : "Will not fix", "package_name" : "zero-trust-workload-identity-manager/spiffe-spire-server-rhel9", "cpe" : "cpe:/a:redhat:zero_trust_workload_identity_manager:0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-11621\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-11621\nhttps://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709\nhttps://github.com/hashicorp/vault/commit/054c35de0c830fd7cb9991bec8b0e6a0c793e98d" ], "name" : "CVE-2025-11621", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }