CVE-2023-5077
HIGH7.6EPSS 0.23%Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability
發布日:2023/9/29修改日:2026/2/4
描述
The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.
受影響套件(3)
- Bitnami/vault>= 0.10.0, < 1.13.0
- Go/github.com/hashicorp/vaultfrom 0, < 1.13.0
- Go/github.com/hashicorp/vaultfrom 0, < 1.13.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.6 | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H |
參考連結(4)
- ADVISORYhttps://github.com/advisories/GHSA-86c6-3g63-5w64
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-5077
- PATCHhttps://github.com/hashicorp/vault
- WEBhttps://discuss.hashicorp.com/t/hcsec-2023-30-vault-s-google-cloud-secrets-engine-removed-existing-iam-conditions-when-creating-updating-rolesets/58654