CVE-2025-13357
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-12-10
Assigner: HashiCorp Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hashicorp | terraform_provider | From 4.2.0 (inc) to 5.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because Vault's Terraform Provider incorrectly sets the default value of the deny_null_bind parameter for the LDAP authentication method to false. If the LDAP server allows anonymous or unauthenticated binds, this misconfiguration can lead to an authentication bypass, allowing unauthorized access.
How can this vulnerability impact me? :
The vulnerability can lead to authentication bypass if the LDAP server permits anonymous or unauthenticated binds. This means unauthorized users could gain access to systems or data that should be protected, potentially compromising confidentiality and integrity.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Vault Terraform Provider to version 5.5.0 or later, where the vulnerability is fixed. Additionally, verify and ensure that the deny_null_bind parameter for the LDAP auth method is set to true to prevent authentication bypass if the LDAP server allows anonymous or unauthenticated binds.