CVE-2025-49829

Summary

Conjur provides secrets management and application identity for infrastructure. Missing validations in Secrets Manager, Self-Hosted allows authenticated attackers to inject resources into the database and to bypass permission checks. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.

Affected Software

VendorProductVersion RangeStatus
cyberarkconjurConjur OSS < 1.22.1affected
cyberarkconjurSecrets Manager, Self-Hosted (formerly known as Conjur Enterprise) < 13.5.1affected
cyberarkconjurSecrets Manager, Self-Hosted (formerly known as Conjur Enterprise) = 13.6affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References