GHSA-v84f-6r39-cpfc

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-v84f-6r39-cpfc/GHSA-v84f-6r39-cpfc.json
Aliases
  • CVE-2023-4680
Published
2023-09-15T00:30:29Z
Modified
2023-09-15T19:03:05Z
Details

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

References

Affected packages

Go / github.com/hashicorp/vault

Source Details

Affected ranges

Type
SEMVER
Events
Introduced
1.6.0
Fixed
1.12.11

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}

Go / github.com/hashicorp/vault

Source Details

Affected ranges

Type
SEMVER
Events
Introduced
1.13.0
Fixed
1.13.7

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}

Go / github.com/hashicorp/vault

Source Details

Affected ranges

Type
SEMVER
Events
Introduced
1.14.0
Fixed
1.14.3

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}