HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. Fixed in 1.13.2
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published: 2023-05-01T19:41:17.600Z

Updated: 2024-08-02T06:12:20.674Z

Reserved: 2023-04-20T19:03:10.324Z

Link: CVE-2023-2197

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-05-01T20:15:14.597

Modified: 2024-11-21T07:58:08.163

Link: CVE-2023-2197

cve-icon Redhat

Severity : Low

Publid Date: 2023-05-01T00:00:00Z

Links: CVE-2023-2197 - Bugzilla