CVE-2023-2197

EPSS 0.03%
Veröffentlicht 01.05.2023 20:15:14
Zuletzt bearbeitet 30.01.2025 16:15:29
Quelle security@hashicorp.com
CVE-Watchlists
Login
Unerledigt
Login

HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. Fixed in 1.13.2

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hashicorp ≫ Vault SwEditionenterprise Version >= 1.13.0 < 1.13.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.066

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	2.5	1	1.4	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	2.5	1	1.4	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
security@hashicorp.com	2.5	0.8	1.4	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

https://discuss.hashicorp.com/t/hcsec-2023-14-vault-enterprise-vulnerable-to-padding-oracle-attacks-when-using-a-cbc-based-encryption-mechanism-with-a-hsm/53322

Vendor Advisory

Mitigation

https://security.netapp.com/advisory/ntap-20230609-0007/

https://nvd.nist.gov/vuln/detail/CVE-2023-2197

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-2197

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-2197

EUVD