VYPR
Moderate severityNVD Advisory· Published Jul 31, 2023· Updated Oct 21, 2024

Vault's LDAP Auth Method Allows for User Enumeration

CVE-2023-3462

Description

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/hashicorp/vaultGo
< 1.13.51.13.5
github.com/hashicorp/vaultGo
>= 1.14.0, < 1.14.11.14.1

Affected products

28

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.