CVE-2023-3462

Summary

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

Affected Software

VendorProductVersion RangeStatus
HashiCorpVault1.13.0 <= 1.13.4affected
HashiCorpVault1.14.0affected
HashiCorpVault Enterprise1.13.0 <= 1.13.4affected
HashiCorpVault Enterprise1.14.0affected

Weaknesses

  • CWE-203: CWE-203 Observable Discrepancy

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References