CVE-2023-24999

HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*

History

21 Nov 2024, 07:48

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.1
v2 : unknown
v3 : 4.4
References () https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305 - Vendor Advisory () https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305 - Vendor Advisory
References () https://security.netapp.com/advisory/ntap-20230505-0001/ - () https://security.netapp.com/advisory/ntap-20230505-0001/ -

Information

Published : 2023-03-11 00:15

Updated : 2024-11-21 07:48


NVD link : CVE-2023-24999

Mitre link : CVE-2023-24999

CVE.ORG link : CVE-2023-24999


JSON object : View

Products Affected

hashicorp

  • vault
CWE
CWE-863

Incorrect Authorization