AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

OR
          *cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* versions from (including) 1.10.0 up to (excluding) 1.20.2
          *cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* versions from (including) 1.10.0 up to (including) 1.15.16
          *cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* versions from (including) 1.16.0 up to (excluding) 1.16.24
          *cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* versions from (including) 1.17.0 up to (excluding) 1.18.13
          *cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* versions from (including) 1.19.0 up to (excluding) 1.19.8
          *cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* versions from (including) 1.20.0 up to (excluding) 1.20.2

HashiCorp Inc.: https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092 Types: Vendor Advisory

Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE-156

https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092