CVE-2023-4680

Name of the Vulnerable Software and Affected Versions HashiCorp Vault and Vault Enterprise versions 1.6.0 through 1.12.10 HashiCorp Vault and Vault Enterprise versions 1.13.0 through 1.13.6 HashiCorp Vault and Vault Enterprise versions 1.14.0 through 1.14.2

Description The issue is related to improper input validation in the transit secrets engine of HashiCorp Vault and Vault Enterprise. This allows authorized users to specify arbitrary nonces, even when convergent encryption is disabled. The encrypt endpoint can be used in combination with an offline attack to decrypt arbitrary ciphertext and potentially derive the authentication subkey.

Recommendations For HashiCorp Vault and Vault Enterprise versions 1.6.0 through 1.12.10, update to version 1.12.11. For HashiCorp Vault and Vault Enterprise versions 1.13.0 through 1.13.6, update to version 1.13.7. For HashiCorp Vault and Vault Enterprise versions 1.14.0 through 1.14.2, update to version 1.14.3. As a temporary workaround, consider restricting access to the encrypt endpoint until a patch is available.