CVE-2023-2197 — Vulnetix

CVE-2023-2197 PUBLISHED

HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. Fixed in 1.13.2

EPSS 0.01% · 2.1th percentile

Risk Scores

EPSS Score

0.01%

2.1th percentile

Affected Products

Vendor	Product	Versions
Bitnami	vault	1.13.0
Bitnami	vault	1.13.0

Timeline

May 1, 2023 CVE Published
May 2, 2023 EPSS Score
Jun 8, 2023 EPSS Score
Jul 15, 2023 EPSS Score
Aug 21, 2023 EPSS Score
Sep 27, 2023 EPSS Score
Nov 3, 2023 EPSS Score
Dec 10, 2023 EPSS Score
Jan 16, 2024 EPSS Score
Feb 22, 2024 EPSS Score
Mar 30, 2024 EPSS Score
May 6, 2024 EPSS Score

References

https://discuss.hashicorp.com/t/hcsec-2023-14-vault-enterprise-vulnerable-to-padding-oracle-attacks-when-using-a-cbc-based-encryption-mechanism-with-a-hsm/53322 url
https://security.netapp.com/advisory/ntap-20230609-0007/ url
https://nvd.nist.gov/vuln/detail/CVE-2023-2197 url

Open in Interactive Console →