Vault v1.2.5

« Changelog History

Vault v1.2.5 Release Notes

• August 20th, 2020

  🔒 SECURITY:

  • When using the IAM AWS Auth Method, under certain circumstances, values Vault uses to validate identities and roles can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.7.1 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16250) (Discovered by Felix Wilhelm of Google Project Zero)
  • When using the GCP GCE Auth Method, under certain circumstances, values Vault uses to validate GCE VMs can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.8.3 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16251) (Discovered by Felix Wilhelm of Google Project Zero)

  KNOWN ISSUES:

  • 💻 OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected.
  • AWS IAM logins may return an error depending on the headers sent with the request. For more details and a workaround, see the 1.2.5 Upgrade Guide

  🐛 BUG FIXES:

  • seal: (enterprise) Fix issue causing stored seal and recovery keys to be mistaken as sealwrapped values

• All Versions
• Previous v1.2.4
• Next v1.2.6.1
• Latest Version