CVE-2023-0665

Summary

HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

Affected Software

VendorProductVersion RangeStatus
HashiCorpVault1.13.0 < 1.13.1affected
HashiCorpVault1.12.0 < 1.12.5affected
HashiCorpVault1.11.0 < 1.11.9affected
HashiCorpVault Enterprise1.13.0 < 1.13.1affected
HashiCorpVault Enterprise1.12.0 < 1.12.5affected
HashiCorpVault Enterprise1.11.0 < 1.11.9affected

Weaknesses

  • CWE-285: CWE-285 Improper Authorization

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References