Vulnerability Database

313,825

Total vulnerabilities in the database

CVE-2023-3462

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

Published: Jul 31, 2023
Updated: Nov 16, 2025
CVE: CVE-2023-3462
GHSA: GHSA-9v3w-w2jh-4hff
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-203

Affected Software
References

Software	From	Fixed in
github.com/hashicorp/vault	-	1.13.5
github.com/hashicorp/vault	1.14.0	1.14.0.x
github.com/hashicorp/vault	1.14.0	1.14.1
hashicorp / vault	1.14.0	1.14.0.x
hashicorp / vault	1.13.0	1.13.5

https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo