Fluid Attacks Database

Description

HashiCorp Vault Improper Input Validation vulnerability HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/hashicorp/vault	>=1.6.0 <1.12.11 \|\| >=1.13.0 <1.13.7 \|\| >=1.14.0 <1.14.3	1.12.11, 1.13.7, 1.14.3

Aliases

1. CVE-2023-46802. NVD-2023-46803. OSV-2023-46804. GCVE-2023-4680

References

1. https://discuss.hashicorp.com/t/hcsec-2023-28-vault-s-transit-secrets-engine-allowed-nonce-specified-without-convergent-encryption/58249

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.