HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. Fixed in 1.13.2
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: HashiCorp
Published: 2023-05-01T19:41:17.600Z
Updated: 2023-05-01T19:41:17.600Z
Reserved: 2023-04-20T19:03:10.324Z
Link: CVE-2023-2197
JSON object: View
NVD Information
Status : Modified
Published: 2023-05-01T20:15:14.597
Modified: 2023-06-09T08:15:10.823
Link: CVE-2023-2197
JSON object: View
Redhat Information
No data.
CWE