CVE-2023-0665

Vault PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata

CVSS 6.5 MEDIUMEPSS 0.3%CWE-285

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.5EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

30 Mar 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Affected products

HashiCorp · Vault HashiCorp · Vault Enterprise

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079/1 https://security.netapp.com/advisory/ntap-20230526-0008/