HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. This is fixed in versions 1.6.2 and 1.5.7.
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. This is fixed in versions 1.6.2 and 1.5.7.
https://discuss.hashicorp.com/t/hcsec-2021-03-vault-api-endpoint-allowed-enumeration-of-secrets-engine-mount-paths-without-authentication/20336 https://github.com/hashicorp/vault/pull/10650 https://github.com/hashicorp/vault/commit/131123918ae8e6ca1ffba4dd7ed32b04c2068dd3