CVE-2023-3462

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

Published: Aug 1, 2023
Updated: May 9, 2024
CVE: CVE-2023-3462
GHSA: GHSA-9v3w-w2jh-4hff
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-203

Affected Software
References

Software	From	Fixed in
github.com/hashicorp/vault	-	1.13.5
github.com/hashicorp/vault	1.14.0	1.14.0.x
github.com/hashicorp/vault	1.14.0	1.14.1
hashicorp / vault	1.14.0	1.14.0.x
hashicorp / vault	1.13.0	1.13.5

https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714

Vulnerability Database

CVE-2023-3462