CVE-2023-24999
CVSS V2 None
CVSS V3 None
Description
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.
Overview
- CVE ID
- CVE-2023-24999
- Assigner
- security@hashicorp.com
- Vulnerability Status
- Analyzed
- Published Version
- 2023-03-11T00:15:09
- Last Modified Date
- 2023-03-16T17:03:07
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* | 1 | OR | 1.10.11 | |
| cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* | 1 | OR | 1.10.11 | |
| cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* | 1 | OR | 1.11.0 | 1.11.8 |
| cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* | 1 | OR | 1.11.0 | 1.11.8 |
| cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* | 1 | OR | 1.12.0 | 1.12.4 |
| cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* | 1 | OR | 1.12.0 | 1.12.4 |
References
| Reference URL | Reference Tags |
|---|---|
| https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305 | Vendor Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-24999 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24999 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2023-04-17 06:17:58 | Added to TrackCVE | |||
| 2023-04-17 06:18:00 | Weakness Enumeration | new |