Re: Five new CVEs published for Cyberark Conjur OSS

[Solar Designer <solar () openwall com>]

On Wed, Jul 16, 2025 at 10:16:47PM +0000, Andy Tinkham wrote:
> On July 15, 2025, CyberArk disclosed 5 vulnerabilities in our Conjur OSS product.
>
>   * CVE-2025-49827<https://www.cve.org/CVERecord?id=CVE-2025-49827> - Critical - Bypass of IAM Authenticator in 
> Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS (GitHub 
> Advisory<https://github.com/cyberark/conjur/security/advisories/GHSA-gmc5-9mpc-xg75>)
>   * CVE-2025-49828<https://www.cve.org/CVERecord?id=CVE-2025-49828> - High - Remote Code Execution in Secrets 
> Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS (GitHub 
> Advisory<https://github.com/cyberark/conjur/security/advisories/GHSA-93hx-v9pv-qrm4>)
>   * CVE-2025-49829<https://www.cve.org/CVERecord?id=CVE-2025-49829> - Medium - Missing validations in Secrets 
> Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS (GitHub 
> Advisory<https://github.com/cyberark/conjur/security/advisories/GHSA-9w76-m74g-4c2r>)
>   * CVE-2025-49830<https://www.cve.org/CVERecord?id=CVE-2025-49830> - High - Path traversal and file disclosure in 
> Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS (GitHub 
> Advisory<https://github.com/cyberark/conjur/security/advisories/GHSA-7m6h-fqrm-m9c5>)
>   * CVE-2025-49831<https://www.cve.org/CVERecord?id=CVE-2025-49831> - Critical - IAM Authenticator Bypass via 
> Mis-configured Network Device in Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS (GitHub 
> Advisory<https://github.com/cyberark/conjur/security/advisories/GHSA-952q-mjrf-wp5j>)

> All users of Conjur OSS are encouraged to update to the 1.22.1 release, available on 
> DockerHub<https://hub.docker.com/layers/cyberark/conjur/1.22.1/images/sha256-331fecd01c5a8a6179165bedba57b85f7cd1283b6b2a9a4f29fcb1e7a92580b3>
>  and at the GitHub.com Conjur 1.22.1 release<https://github.com/cyberark/conjur/releases/tag/v1.22.1>.  These issues 
> also affect our Secrets Manager, Self-Hosted (formerly Conjur Enterprise) product and have been disclosed to our 
> customers in our security bulletin CA25-22<https://www.cyberark.com/CA25-22>.
> For further information, please see our blog 
> post<https://www.cyberark.com/resources/product-insights-blog/addressing-recent-vulnerabilities-and-our-commitment-to-security>.

Thank you for sharing this with oss-security!

There's now also a disclosure by Cyata, the researchers who found these
issues:
https://cyata.ai/blog/exploiting-a-full-chain-of-trust-flaws-how-we-went-from-unauthenticated-to-arbitrary-remote-code-execution-rce-in-cyberark-conjur/

They also looked for and found logic flaws in HashiCorp Vault, but I am
hoping we'll have a separate thread on that (I am asking them to post).

Meanwhile, attached is a plain text export of the above blog post.

Alexander

Attachment: exploiting-a-full-chain-of-trust-flaws-how-we-went-from-unauthenticated-to-arbitrary-remote-code-execution-rce-in-cyberark-conjur.txt
Description: