CVE-2025-49829

Conjur OSS and Secrets Manager, Self-Hosted (formerly Conjur Enterprise) missing validations

CVSS 6 MEDIUMEPSS 0.4%CWE-862

Conjur provides secrets management and application identity for infrastructure. Missing validations in Secrets Manager, Self-Hosted allows authenticated attackers to inject resources into the database and to bypass permission checks. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Productos afectados

cyberark · conjur

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/cyberark/conjur/releases/tag/v1.22.1 https://github.com/cyberark/conjur/security/advisories/GHSA-9w76-m74g-4c2r http://www.openwall.com/lists/oss-security/2025/07/16/7 http://www.openwall.com/lists/oss-security/2025/08/08/1