HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:17
Type | Values Removed | Values Added |
---|---|---|
References | () https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714 - Vendor Advisory |
04 Aug 2023, 16:50
Type | Values Removed | Values Added |
---|---|---|
First Time |
Hashicorp
Hashicorp vault |
|
CWE | CWE-203 | |
CPE | cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* cpe:2.3:a:hashicorp:vault:1.14.0:*:*:*:enterprise:*:*:* cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* cpe:2.3:a:hashicorp:vault:1.14.0:*:*:*:-:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
References | (MISC) https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714 - Vendor Advisory |
31 Jul 2023, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-31 23:15
Updated : 2024-11-21 08:17
NVD link : CVE-2023-3462
Mitre link : CVE-2023-3462
CVE.ORG link : CVE-2023-3462
JSON object : View
Products Affected
hashicorp
- vault
CWE
CWE-203
Observable Discrepancy