CVE-2023-2197

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-2197
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-2197.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-2197
Aliases
Published
2023-05-01T20:15:14Z
Modified
2025-07-29T10:47:53.024722Z
Severity
  • 2.5 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKMAESCBCPAD or CKMAES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. Fixed in 1.13.2

References

Affected packages

Git / github.com/hashicorp/vault

Affected ranges

Type
GIT
Repo
https://github.com/hashicorp/vault
Events
Introduced
a4cf0dc4437de35fce4860857b64569d092a9b5a
Fixed
b9b773f1628260423e6cc9745531fd903cae853f

Affected versions

v1.*

v1.13.0
v1.13.1