How severe is CVE-2023-4680?

CVE-2023-4680 has a CVSS v3 score of 6.8 (MEDIUM).

CVE-2023-4680

Name: vault
Author: hashicorp

6.8MEDIUM

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an

公開日: 9/15/2023更新日: 11/21/2024

説明

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

AI分析AIによる分析

影響を受ける製品

hashicorpvault

参照

https://discuss.hashicorp.com/t/hcsec-2023-28-vault-s-transit-secrets-engine-allowed-nonce-specified-without-convergent-encryption/58249
Vendor Advisory
https://discuss.hashicorp.com/t/hcsec-2023-28-vault-s-transit-secrets-engine-allowed-nonce-specified-without-convergent-encryption/58249
Vendor Advisory