Moderate severityNVD Advisory· Published Jul 31, 2023· Updated Oct 21, 2024

Vault's LDAP Auth Method Allows for User Enumeration

CVE-2023-3462

Description

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/hashicorp/vaultGo	< 1.13.5	1.13.5
github.com/hashicorp/vaultGo	>= 1.14.0, < 1.14.1	1.14.1

Affected products

Hashicorp/Vaultv5
Range: 1.13.0
HashiCorp/Vault Enterprisev5
Range: 1.13.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-9v3w-w2jh-4hffghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-3462ghsaADVISORY
discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000