HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.
References
Link | Resource |
---|---|
https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: HashiCorp
Published: 2023-07-31T22:40:23.432Z
Updated: 2023-07-31T22:40:23.432Z
Reserved: 2023-06-29T19:00:52.239Z
Link: CVE-2023-3462
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-07-31T23:15:10.360
Modified: 2023-08-04T16:50:04.120
Link: CVE-2023-3462
JSON object: View
Redhat Information
No data.
CWE