HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. Fixed in 1.13.2
References
Configurations
History
21 Nov 2024, 07:58
Type | Values Removed | Values Added |
---|---|---|
References | () https://discuss.hashicorp.com/t/hcsec-2023-14-vault-enterprise-vulnerable-to-padding-oracle-attacks-when-using-a-cbc-based-encryption-mechanism-with-a-hsm/53322 - Mitigation, Vendor Advisory | |
References | () https://security.netapp.com/advisory/ntap-20230609-0007/ - |
09 Jun 2023, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2023-05-01 20:15
Updated : 2024-11-21 07:58
NVD link : CVE-2023-2197
Mitre link : CVE-2023-2197
CVE.ORG link : CVE-2023-2197
JSON object : View
Products Affected
hashicorp
- vault
CWE
CWE-326
Inadequate Encryption Strength