HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.
History

Mon, 21 Oct 2024 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 16 Oct 2024 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.17::el9

Wed, 09 Oct 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift
CPEs cpe:/a:redhat:openshift:4.16::el9
Vendors & Products Redhat openshift

cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published: 2023-07-31T22:40:23.432Z

Updated: 2024-10-21T18:04:40.093Z

Reserved: 2023-06-29T19:00:52.239Z

Link: CVE-2023-3462

cve-icon Vulnrichment

Updated: 2024-08-02T06:55:03.557Z

cve-icon NVD

Status : Modified

Published: 2023-07-31T23:15:10.360

Modified: 2024-11-21T08:17:19.147

Link: CVE-2023-3462

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-07-31T00:00:00Z

Links: CVE-2023-3462 - Bugzilla