CVE-2025-49829

EUVD-2025-21550

15.07.2025, 20:15

Conjur provides secrets management and application identity for infrastructure. Missing validations in Secrets Manager, Self-Hosted allows authenticated attackers to inject resources into the database and to bypass permission checks. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Affected Products (NVD)

Vendor	Product	Version
cyberark	conjur	𝑥 < 1.22.1
cyberark	conjur	𝑥 < 13.5.1
cyberark	conjur	13.6

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://github.com/cyberark/conjur/releases/tag/v1.22.1

https://github.com/cyberark/conjur/security/advisories/GHSA-9w76-m74g-4c2r

http://www.openwall.com/lists/oss-security/2025/07/16/7

http://www.openwall.com/lists/oss-security/2025/08/08/1