GHSA-v84f-6r39-cpfc

Source

https://github.com/advisories/GHSA-v84f-6r39-cpfc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-v84f-6r39-cpfc/GHSA-v84f-6r39-cpfc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v84f-6r39-cpfc

Aliases

Related

CGA-hhgm-mv22-ff57

Published

2023-09-15T00:30:29Z

Modified

2024-08-21T14:56:45.605099Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

HashiCorp Vault Improper Input Validation vulnerability

Details

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

Database specific

{
    "nvd_published_at": "2023-09-15T00:15:07Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-323"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-15T19:03:05Z"
}

References

Affected packages

Go / github.com/hashicorp/vault

Package

Name: github.com/hashicorp/vault; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/vault

Affected ranges

Type: SEMVER
Events: Introduced

1.6.0

Fixed

1.12.11

Go / github.com/hashicorp/vault

Package

Name: github.com/hashicorp/vault; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/vault

Affected ranges

Type: SEMVER
Events: Introduced

1.13.0

Fixed

1.13.7

Go / github.com/hashicorp/vault

Package

Name: github.com/hashicorp/vault; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/vault

Affected ranges

Type: SEMVER
Events: Introduced

1.14.0

Fixed

1.14.3