CVE-2023-24999

EPSS 0.09%
Veröffentlicht 11.03.2023 00:15:09
Zuletzt bearbeitet 21.11.2024 07:48:54
Quelle security@hashicorp.com
Teams Watchlist Login
Unerledigt Login

HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hashicorp ≫ Vault SwEdition- Version < 1.10.11

Hashicorp ≫ Vault SwEditionenterprise Version < 1.10.11

Hashicorp ≫ Vault SwEdition- Version >= 1.11.0 < 1.11.8

Hashicorp ≫ Vault SwEditionenterprise Version >= 1.11.0 < 1.11.8

Hashicorp ≫ Vault SwEdition- Version >= 1.12.0 < 1.12.4

Hashicorp ≫ Vault SwEditionenterprise Version >= 1.12.0 < 1.12.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.264

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
security@hashicorp.com	4.4	0.7	3.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305

Vendor Advisory

https://security.netapp.com/advisory/ntap-20230505-0001/

https://nvd.nist.gov/vuln/detail/CVE-2023-24999

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-24999

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-24999

EUVD