CVE-2023-24999 - OpenCVE

HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Hashicorp	Vault

Configuration 1 [-]

OR	cpe:2.3:a:hashicorp:vault:::::-:::*
	cpe:2.3:a:hashicorp:vault:::::enterprise:::*
	cpe:2.3:a:hashicorp:vault:::::-:::*
	cpe:2.3:a:hashicorp:vault:::::enterprise:::*
	cpe:2.3:a:hashicorp:vault:::::-:::*
	cpe:2.3:a:hashicorp:vault:::::enterprise:::*

References

Link	Resource
https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305	Vendor Advisory
https://security.netapp.com/advisory/ntap-20230505-0001/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: HashiCorp

Published: 2023-03-10T23:12:47.638Z

Updated: 2023-03-10T23:12:47.638Z

Reserved: 2023-02-01T17:54:13.893Z

Link: CVE-2023-24999

JSON object: View

NVD Information

Status : Modified

Published: 2023-03-11T00:15:09.410

Modified: 2023-05-05T20:15:10.137

Link: CVE-2023-24999

JSON object: View

Redhat Information

No data.

CWE

CWE-863

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-24999", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2023-02-01T17:54:13.893Z", "datePublished": "2023-03-10T23:12:47.638Z", "dateUpdated": "2023-03-10T23:12:47.638Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2023-03-10T23:12:47.638Z"}, "title": "Vault Fails to Verify if the AppRole SecretID Belongs to Role During a Destroy Operation", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "affected": [{"vendor": "HashiCorp", "product": "Vault", "platforms": ["Windows", "MacOS", "Linux", "x86", "ARM", "64 bit", "32 bit"], "repo": "https://github.com/hashicorp/vault", "versions": [{"lessThan": "1.12.4", "status": "affected", "version": "1.12.0", "versionType": "semver"}, {"lessThan": "1.11.8", "status": "affected", "version": "1.11.0", "versionType": "semver"}, {"lessThan": "1.10.11", "status": "affected", "version": "0", "versionType": "semver"}]}, {"vendor": "HashiCorp", "product": "Vault Enterprise", "platforms": ["Windows", "MacOS", "Linux", "x86", "ARM", "64 bit", "32 bit"], "versions": [{"lessThan": "1.12.4", "status": "affected", "version": "1.12.0", "versionType": "semver"}, {"lessThan": "1.11.8", "status": "affected", "version": "1.11.0", "versionType": "semver"}, {"lessThan": "1.10.11", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "HashiCorp Vault and Vault Enterprise\u2019s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>HashiCorp Vault and Vault Enterprise\u2019s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.</p><br>"}]}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305"}, {"url": "https://security.netapp.com/advisory/ntap-20230505-0001/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"}}], "source": {"discovery": "EXTERNAL"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "matchCriteriaId": "9F8302EA-93E3-4181-8616-04598ED0C598", "versionEndExcluding": "1.10.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "7C538086-CAAD-4E99-A250-2B51F7D4FA70", "versionEndExcluding": "1.10.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "matchCriteriaId": "6B9B93DD-17A5-4230-AD7D-C1D96046A73D", "versionEndExcluding": "1.11.8", "versionStartIncluding": "1.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "FC94042C-B42F-4F60-92E7-5ECF0F0ABFD9", "versionEndExcluding": "1.11.8", "versionStartIncluding": "1.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "matchCriteriaId": "90C9579E-35EE-4DCE-96F6-DF64B52BBDE6", "versionEndExcluding": "1.12.4", "versionStartIncluding": "1.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "DE915EDC-95E7-4D29-AA3E-7D41108275F4", "versionEndExcluding": "1.12.4", "versionStartIncluding": "1.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "HashiCorp Vault and Vault Enterprise\u2019s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above."}], "id": "CVE-2023-24999", "lastModified": "2023-05-05T20:15:10.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2023-03-11T00:15:09.410", "references": [{"source": "security@hashicorp.com", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305"}, {"source": "security@hashicorp.com", "url": "https://security.netapp.com/advisory/ntap-20230505-0001/"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@hashicorp.com", "type": "Secondary"}]}