{"id":"CVE-2020-35177","details":"HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.","aliases":["BIT-vault-2020-35177","GHSA-rpgp-9hmg-j25x","GO-2024-2508"],"modified":"2026-03-14T10:28:36.910709Z","published":"2020-12-17T05:15:10.737Z","references":[{"type":"ADVISORY","url":"https://discuss.hashicorp.com/t/hcsec-2020-25-vault-s-ldap-auth-method-allows-user-enumeration/18984"},{"type":"ADVISORY","url":"https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#161"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hashicorp/vault","events":[{"introduced":"340cc2fa263f6cbd2861b41518da8a62c153e2e7"},{"fixed":"5799790292fd6f65b08b63df8e8f0981c29c8d15"},{"introduced":"340cc2fa263f6cbd2861b41518da8a62c153e2e7"},{"fixed":"5799790292fd6f65b08b63df8e8f0981c29c8d15"},{"introduced":"7ce0bd9691998e0443bc77e98b1e2a4ab1e965d4"},{"fixed":"6d2db3f033e02e70202bef9ec896360062b88b03"},{"introduced":"7ce0bd9691998e0443bc77e98b1e2a4ab1e965d4"},{"fixed":"6d2db3f033e02e70202bef9ec896360062b88b03"}],"database_specific":{"versions":[{"introduced":"1.5.0"},{"fixed":"1.5.6"},{"introduced":"1.5.0"},{"fixed":"1.5.6"},{"introduced":"1.6.0"},{"fixed":"1.6.1"},{"introduced":"1.6.0"},{"fixed":"1.6.1"}]}}],"versions":["v1.6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-35177.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}