CVE-2023-2197

EPSS 0.02%
Published 01.05.2023 20:15:14
Last modified 30.01.2025 16:15:29
Source security@hashicorp.com
Teams watchlist Login
Open Login

HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. Fixed in 1.13.2

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Hashicorp ≫ Vault SwEditionenterprise Version >= 1.13.0 < 1.13.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.02%	0.031

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	2.5	1	1.4	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	2.5	1	1.4	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
security@hashicorp.com	2.5	0.8	1.4	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

https://discuss.hashicorp.com/t/hcsec-2023-14-vault-enterprise-vulnerable-to-padding-oracle-attacks-when-using-a-cbc-based-encryption-mechanism-with-a-hsm/53322

Vendor Advisory

Mitigation

https://security.netapp.com/advisory/ntap-20230609-0007/

https://nvd.nist.gov/vuln/detail/CVE-2023-2197

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-2197

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-2197

EUVD