HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. Fixed in 1.13.2
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: HashiCorp
Published: 2023-05-01T19:41:17.600Z
Updated: 2024-08-02T06:12:20.674Z
Reserved: 2023-04-20T19:03:10.324Z
Link: CVE-2023-2197
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-05-01T20:15:14.597
Modified: 2024-11-21T07:58:08.163
Link: CVE-2023-2197
Redhat