8.1

CVE-2023-24999

Vault Fails to Verify if the AppRole SecretID Belongs to Role During a Destroy Operation

HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HashicorpVault SwEdition- Version < 1.10.11
HashicorpVault SwEditionenterprise Version < 1.10.11
HashicorpVault SwEdition- Version >= 1.11.0 < 1.11.8
HashicorpVault SwEditionenterprise Version >= 1.11.0 < 1.11.8
HashicorpVault SwEdition- Version >= 1.12.0 < 1.12.4
HashicorpVault SwEditionenterprise Version >= 1.12.0 < 1.12.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.18% 0.394
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.1 2.8 5.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
security@hashicorp.com 4.4 0.7 3.6
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.