HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.
References
Link | Resource |
---|---|
https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
04 Aug 2023, 16:50
Type | Values Removed | Values Added |
---|---|---|
First Time |
Hashicorp
Hashicorp vault |
|
CWE | CWE-203 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
CPE | cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* cpe:2.3:a:hashicorp:vault:1.14.0:*:*:*:enterprise:*:*:* cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* cpe:2.3:a:hashicorp:vault:1.14.0:*:*:*:-:*:*:* |
|
References | (MISC) https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714 - Vendor Advisory |
31 Jul 2023, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-31 23:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-3462
Mitre link : CVE-2023-3462
CVE.ORG link : CVE-2023-3462
JSON object : View
Products Affected
hashicorp
- vault
CWE
CWE-203
Observable Discrepancy