CVE-2023-2197 Vulnerability Details

  /     /     /  

CVE-2023-2197 Metadata Quick Info

CVE Published: 01/05/2023 | CVE Updated: 02/08/2024 | CVE Year: 2023
Source: HashiCorp | Vendor: HashiCorp | Product: Vault Enterprise
Status : PUBLISHED

CVE-2023-2197 Description

HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. Fixed in 1.13.2

Metrics

CVSS Version: 3.1 | Base Score: 2.5 LOW
Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* LOCAL
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* HIGH
    User Interaction (UI)* NONE
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* NONE
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-326
CWE Name: CWE-326 Inadequate Encryption Strength
Source: HashiCorp

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-463
CAPEC Description: CAPEC-463 Padding Oracle Crypto Attack


Source: NVD (National Vulnerability Database).

Last added CVEs

▸ CVE-2024-9999 ◂
Discovered: 12/11/2024
Status: PUBLISHED
▸ CVE-2024-9997 ◂
Discovered: 29/10/2024
Status: PUBLISHED
▸ CVE-2024-9996 ◂
Discovered: 29/10/2024
Status: PUBLISHED



Tags:
CVE-2023-2197 Vulnerability Details