CVE-2023-4680

Summary

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

Affected Software

VendorProductVersion RangeStatus
HashiCorpVault1.14.0 < 1.14.3affected
HashiCorpVault1.13.0 < 1.13.7affected
HashiCorpVault1.12.0 < 1.12.11affected
HashiCorpVault1.6.0 < 1.12.0affected
HashiCorpVault Enterprise1.14.0 < 1.14.3affected
HashiCorpVault Enterprise1.13.0 < 1.13.7affected
HashiCorpVault Enterprise1.12.0 < 1.12.11affected
HashiCorpVault Enterprise1.6.0 < 1.12.0affected

Weaknesses

  • CWE-323: CWE-323: Reusing a Nonce, Key Pair in Encryption

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References