Vault Terraform Provider Applied Incorrect Defaults for LDAP Auth Method

7.4 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.

Basic Information

ID CVE-2025-13357

Source HashiCorp

Published Nov 21, 2025 at 15:02

Modified Nov 21, 2025 at 15:13

Affected Product

Vendor HashiCorp

Product Tooling

Version 4.2.0

Affected Versions HashiCorp Tooling 4.2.0

CWE Classification

CWE-1188

References

discuss.hashicorp.com /t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822

{
    "lastseen": "",
    "description": "Vault\u2019s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.",
    "published": "2025-11-21T15:02:27.081Z",
    "modified": "2025-11-21T15:13:57.083Z",
    "type": "cve",
    "title": "Vault Terraform Provider Applied Incorrect Defaults for LDAP Auth Method",
    "source": "HashiCorp",
    "references": "https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822",
    "id": "CVE-2025-13357",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1188"
    ],
    "cvelist": null,
    "sourceData": "HashiCorp Tooling 4.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.4,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Tooling",
    "version": "4.2.0",
    "vendor": "HashiCorp",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Vault Terraform Provider Applied Incorrect Defaults for LDAP Auth Method_CVE-2025-13357