HashiCorp Vault User Lockout Bypass Vulnerability in Userpass and LDAP Authentication

A vulnerability exists in HashiCorp Vault and Vault Enterprise that allows the user lockout feature to be bypassed for Userpass and LDAP authentication methods. This issue affects Vault Community Edition versions 1.13.0 prior to 1.20.0 and Vault Enterprise versions 1.13.0 prior to 1.20.0, as well as 1.19.6, 1.18.11, 1.16.22, and 1.15.15. The vulnerability arises because the lockout mechanism did not properly normalize entity aliases, enabling an attacker to exploit case sensitivity in usernames. The issue has been addressed by correcting the normalization process and ensuring proper case sensitivity is maintained for affected authentication methods.

Impact

Exploitation of this vulnerability allows for the bypass of Vault's user lockout mechanism, potentially leading to repeated login attempts and associated account lockout evasion.

Remediation

Users are advised to upgrade to Vault Community Edition 1.20.1 or Vault Enterprise 1.20.1, 1.19.7, 1.18.12, or 1.16.23. For general upgrade guidance, refer to the HashiCorp Vault Upgrading documentation.