GHSA-v84f-6r39-cpfc

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-v84f-6r39-cpfc/GHSA-v84f-6r39-cpfc.json

Aliases

CVE-2023-4680

Published

2023-09-15T00:30:29Z

Modified

2023-09-15T19:03:05Z

Details

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

References

Affected packages

Go / github.com/hashicorp/vault

Source Details

Package Name: github.com/hashicorp/vault

Affected ranges

Type: SEMVER
Events: Introduced

1.6.0

Fixed

1.12.11

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}

Go / github.com/hashicorp/vault

Source Details

Package Name: github.com/hashicorp/vault

Affected ranges

Type: SEMVER
Events: Introduced

1.13.0

Fixed

1.13.7

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}

Go / github.com/hashicorp/vault

Source Details

Package Name: github.com/hashicorp/vault

Affected ranges

Type: SEMVER
Events: Introduced

1.14.0

Fixed

1.14.3

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}