CVE-2025-49827
📋 TL;DR
This vulnerability allows attackers to bypass IAM authentication in Conjur by manipulating AWS-signed headers to redirect validation requests to malicious servers. Attackers can gain the permissions of compromised clients, affecting both Conjur OSS and Secrets Manager, Self-Hosted deployments.
💻 Affected Systems
- Conjur OSS
- Secrets Manager, Self-Hosted (formerly Conjur Enterprise)
📦 What is this software?
Conjur by Cyberark
Conjur by Cyberark
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of secrets management system allowing unauthorized access to all stored secrets and credentials.
Likely Case
Unauthorized access to specific secrets or credentials based on the compromised client's permissions.
If Mitigated
Limited impact with proper network segmentation and monitoring detecting anomalous authentication attempts.
🎯 Exploit Status
Requires ability to manipulate AWS-signed headers and redirect validation requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Conjur OSS 1.22.1; Secrets Manager, Self-Hosted 13.5.1 and 13.6.1
Vendor Advisory: https://github.com/cyberark/conjur/security/advisories/GHSA-gmc5-9mpc-xg75
Restart Required: Yes
Instructions:
1. Backup your Conjur configuration and data. 2. Update to patched version using your deployment method (Docker, Kubernetes, etc.). 3. Restart Conjur services. 4. Verify authentication functionality.
🔧 Temporary Workarounds
Disable IAM Authenticator
allTemporarily disable IAM authentication if not required, forcing use of other authentication methods.
# Edit Conjur configuration to remove or comment IAM authenticator settings
# Restart Conjur services after configuration change
🧯 If You Can't Patch
- Implement strict network controls to limit access to Conjur authentication endpoints
- Enable detailed logging and monitoring for IAM authentication attempts and anomalies
🔍 How to Verify
Check if Vulnerable:
Check Conjur version against affected ranges: Conjur OSS 1.19.5-1.22.0 or Secrets Manager 13.1-13.5/13.6Check Version:
docker exec conjur conjur version # For Docker deployments or check deployment-specific version commandVerify Fix Applied:
Confirm version is Conjur OSS 1.22.1+ or Secrets Manager 13.5.1+/13.6.1+ and test IAM authentication functionality.📡 Detection & Monitoring
Log Indicators:
- Failed IAM authentication attempts with unusual source IPs
- Authentication requests to unexpected AWS endpoints
- Multiple authentication failures from same client
Network Indicators:
- Outbound connections from Conjur to non-AWS endpoints during authentication
- DNS requests for unusual domains during IAM validation
SIEM Query:
source="conjur" AND ("IAM authentication" OR "authenticator") AND (status=failed OR destination_ip NOT IN aws_ip_ranges)