CVE-2023-24999

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-24999

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-24999.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-24999

Aliases

Related

Withdrawn

2024-05-15T05:34:07.712591Z

Published

2023-03-11T00:15:09Z

Modified

2024-08-20T20:58:52.464265Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.

References

Affected packages

Git / github.com/hashicorp/vault

Affected ranges

Type: GIT
Repo: https://github.com/hashicorp/vault
Events: Introduced

558abfa75702b5dab4c98e86b802fb9aef43b0eb

Fixed

0d09e842ac33626e0263d273510e08e1d079d921

Introduced

ea296ccf58507b25051bc0597379c467046eb2f1

Affected versions

v1.*

v1.12.0

v1.12.1

v1.12.2

v1.12.3