Vulnerability Details : CVE-2023-3462
HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.
Products affected by CVE-2023-3462
- cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
- cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:hashicorp:vault:1.14.0:*:*:*:enterprise:*:*:*
- cpe:2.3:a:hashicorp:vault:1.14.0:*:*:*:-:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-3462
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 19 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-3462
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
HashiCorp Inc. |
CWE ids for CVE-2023-3462
-
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.Assigned by:
- nvd@nist.gov (Primary)
- security@hashicorp.com (Secondary)
References for CVE-2023-3462
-
https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714
HCSEC-2023-24 - Vault's LDAP Auth Method Allows for User Enumeration - Security - HashiCorp DiscussVendor Advisory
Jump to