CVE-2023-4680

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

Published: Sep 15, 2023
Updated: May 9, 2024
CVE: CVE-2023-4680
GHSA: GHSA-v84f-6r39-cpfc
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.8
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
github.com/hashicorp/vault	1.6.0	1.12.11
github.com/hashicorp/vault	1.13.0	1.13.7
github.com/hashicorp/vault	1.14.0	1.14.3
hashicorp / vault	1.13.0	1.13.7
hashicorp / vault	1.14.0	1.14.3
hashicorp / vault	1.6.0	1.12.11

https://discuss.hashicorp.com/t/hcsec-2023-28-vault-s-transit-secrets-engine-allowed-nonce-specified-without-convergent-encryption/58249

Vulnerability Database

CVE-2023-4680