Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-3462

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

Published

2023-07-31T23:15:10.360

Last Modified

2024-11-21T08:17:19.147

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-203
Type: Primary
CWE-203

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	hashicorp	vault	< 1.13.5	Yes
Application	hashicorp	vault	< 1.13.5	Yes
Application	hashicorp	vault	1.14.0	Yes
Application	hashicorp	vault	1.14.0	Yes

References

https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714 Vendor Advisory ([email protected])
https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)