CVE-2025-49827
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-11-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cyberark | conjur | From 1.19.5 (inc) to 1.22.1 (exc) |
| cyberark | conjur | From 13.1 (inc) to 13.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Conjur OSS versions 1.19.5 through 1.22.0 and Secrets Manager, Self-Hosted versions 13.1 through 13.6. An attacker who can manipulate AWS-signed headers can exploit a malformed regular expression to redirect authentication validation requests to a malicious server. This redirection allows the attacker to bypass the IAM authenticator in Secrets Manager, Self-Hosted, potentially gaining the permissions of the client whose request was manipulated.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to bypass the IAM authenticator in Conjur Secrets Manager, Self-Hosted, granting them unauthorized access to permissions associated with a legitimate client. This could lead to unauthorized access to secrets and sensitive infrastructure credentials, potentially compromising the security of your systems and applications.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Conjur OSS to version 1.22.1 or later, and Secrets Manager, Self-Hosted to versions 13.5.1 or 13.6.1 or later, as these versions contain fixes for the IAM authenticator bypass issue.