CVE-2023-2197

CVSS V2 None CVSS V3 None

Description

HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. Fixed in 1.13.2

Overview

CVE ID
CVE-2023-2197

Assigner
security@hashicorp.com

Vulnerability Status
Received

Published Version
2023-05-01T20:15:14

Last Modified Date
2023-05-01T20:15:14

Weakness Enumerations

CWE	URL
CWE-326	http://cwe.mitre.org/data/definitions/326.html

References

Reference URL	Reference Tags
https://discuss.hashicorp.com/t/hcsec-2023-14-vault-enterprise-vulnerable-to-padding-oracle-attacks-when-using-a-cbc-based-encryption-mechanism-with-a-hsm/53322

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-2197
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2197

History

Created	Old Value	New Value	Data Type	Notes
2023-05-01 21:01:31				Added to TrackCVE
2023-05-01 21:01:36			Weakness Enumeration	new