CVE-2023-0620

Name of the Vulnerable Software and Affected Versions HashiCorp Vault and Vault Enterprise versions 0.8.0 through 1.13.1

Description The issue is related to an SQL injection attack when configuring the Microsoft SQL (MSSQL) Database Storage Backend. Certain parameters are not sanitized when passed to the user-provided MSSQL database, allowing an attacker to modify these parameters and execute a malicious SQL command. This can occur when configuring the MSSQL plugin through the local configuration.

Recommendations For versions 0.8.0 through 1.13.0, update to version 1.13.1, 1.12.5, or 1.11.9 to resolve the issue. As a temporary workaround, consider restricting access to the MSSQL Database Storage Backend configuration to minimize the risk of exploitation.