CVE-2023-3462 Vulnerability Details

  /     /     /  

CVE-2023-3462 Metadata Quick Info

CVE Published: 31/07/2023 | CVE Updated: 21/10/2024 | CVE Year: 2023
Source: HashiCorp | Vendor: HashiCorp | Product: Vault
Status : PUBLISHED

---

CVE-2023-3462 Description

HashiCorp\'s Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

Metrics

CVSS Version: 3.1 | Base Score: 5.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* NONE
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* NONE
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-203
CWE Name: CWE-203 Observable Discrepancy
Source: HashiCorp

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-575
CAPEC Description: CAPEC-575 Account Footprinting


Source: NVD (National Vulnerability Database).