{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-6037", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2025-06-12T18:21:50.999Z", "datePublished": "2025-08-01T17:52:48.778Z", "dateUpdated": "2025-08-02T03:55:53.155Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"lessThan": "1.20.1", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault Enterprise", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"changes": [{"at": "1.19.7", "status": "unaffected"}, {"at": "1.18.12", "status": "unaffected"}, {"at": "1.16.23", "status": "unaffected"}], "lessThan": "1.20.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Vault and Vault Enterprise (\u201cVault\u201d) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration, an attacker may be able to craft a malicious certificate that could be used to impersonate another user. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.</p><br/>"}], "value": "Vault and Vault Enterprise (\u201cVault\u201d) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration, an attacker may be able to craft a malicious certificate that could be used to impersonate another user. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23."}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122: Privilege Abuse"}]}], "metrics": [{"cvssV3_1": {"baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2025-08-01T17:52:48.778Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037"}], "source": {"advisory": "HCSEC-2025-18", "discovery": "EXTERNAL"}, "title": "Vault Certificate Auth Method Did Not Validate Common Name For Non-CA Certificates"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-01T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-6037"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-02T03:55:53.155Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6037", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-01T18:04:03.320089Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-01T18:04:06.710Z"}}], "cna": {"title": "Vault Certificate Auth Method Did Not Validate Common Name For Non-CA Certificates", "source": {"advisory": "HCSEC-2025-18", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122: Privilege Abuse"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "product": "Vault", "versions": [{"status": "affected", "version": "0", "lessThan": "1.20.1", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}, {"repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "product": "Vault Enterprise", "versions": [{"status": "affected", "changes": [{"at": "1.19.7", "status": "unaffected"}, {"at": "1.18.12", "status": "unaffected"}, {"at": "1.16.23", "status": "unaffected"}], "version": "0", "lessThan": "1.20.1", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037"}], "descriptions": [{"lang": "en", "value": "Vault and Vault Enterprise (\u201cVault\u201d) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration, an attacker may be able to craft a malicious certificate that could be used to impersonate another user. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.", "supportingMedia": [{"type": "text/html", "value": "<p>Vault and Vault Enterprise (\u201cVault\u201d) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration, an attacker may be able to craft a malicious certificate that could be used to impersonate another user. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.</p><br/>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2025-08-01T17:52:48.778Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6037", "state": "PUBLISHED", "dateUpdated": "2025-08-02T03:55:53.155Z", "dateReserved": "2025-06-12T18:21:50.999Z", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "datePublished": "2025-08-01T17:52:48.778Z", "assignerShortName": "HashiCorp"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "FACD8B3A-DF81-45FE-A046-C52946E2FCC4", "versionEndExcluding": "1.16.23", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "matchCriteriaId": "3AC59271-E95C-433B-A789-F30C3DDBD579", "versionEndExcluding": "1.20.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "9E750D53-BBA7-4922-85CA-E55852B0A23A", "versionEndExcluding": "1.18.12", "versionStartIncluding": "1.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "EE2F3725-EADA-4406-9D63-8EDAF161CE2A", "versionEndExcluding": "1.19.7", "versionStartIncluding": "1.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:1.20.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "562AD4B9-82F5-45C4-9214-7428247B790A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vault and Vault Enterprise (\u201cVault\u201d) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration, an attacker may be able to craft a malicious certificate that could be used to impersonate another user. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23."}, {"lang": "es", "value": "El m\u00e9todo de autenticaci\u00f3n de certificados TLS de Vault y Vault Enterprise (\u00abVault\u00bb) no validaba correctamente los certificados de cliente al configurarse con un certificado no perteneciente a una CA como [+certificado de confianza+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. En esta configuraci\u00f3n, un atacante podr\u00eda manipular un certificado malicioso que podr\u00eda usarse para suplantar la identidad de otro usuario. Corregido en Vault Community Edition 1.20.1 y Vault Enterprise 1.20.1, 1.19.7, 1.18.12 y 1.16.23."}], "id": "CVE-2025-6037", "lastModified": "2025-08-13T18:09:00.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2025-08-01T18:15:57.300", "references": [{"source": "security@hashicorp.com", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{"bugzilla": {"description": "github.com/hashicorp/vault: Vault TLS Certificate Authentication Impersonation Vulnerability", "id": "2386013", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2386013"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-295", "details": ["Vault and Vault Enterprise (\u201cVault\u201d) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration, an attacker may be able to craft a malicious certificate that could be used to impersonate another user. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-6037", "package_state": [{"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Fix deferred", "package_name": "cert-manager/cert-manager-operator-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Fix deferred", "package_name": "cert-manager/jetstack-cert-manager-acmesolver-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Fix deferred", "package_name": "cert-manager/jetstack-cert-manager-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:external_secrets_operator:0", "fix_state": "Fix deferred", "package_name": "external-secrets-operator/external-secrets-operator-rhel9", "product_name": "external secrets operator for Red Hat OpenShift - Tech Preview"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Will not fix", "package_name": "odf4/cephcsi-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Will not fix", "package_name": "odf4/mcg-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Will not fix", "package_name": "odf4/mcg-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Will not fix", "package_name": "odf4/odf-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Will not fix", "package_name": "rhtas/client-server-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Will not fix", "package_name": "rhtas/fulcio-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}], "public_date": "2025-08-01T17:52:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-6037\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-6037\nhttps://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037\nhttps://github.com/advisories/GHSA-6c5r-4wfc-3mcx"], "threat_severity": "Moderate"}