cbcvebase.
CVE-2023-24999
published 2023-03-11

CVE-2023-24999: HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID…

PriorityP343high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
EPSS
0.60%
44.0th percentile
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.

Affected

9 ranges
VendorProductVersion rangeFixed in
github.comhashicorp_vault>= 0 < 1.10.111.10.11
github.comhashicorp_vault>= 1.11.0 < 1.11.81.11.8
github.comhashicorp_vault>= 1.12.0 < 1.12.41.12.4
hashicorpvault< 1.10.111.10.11
hashicorpvault>= 1.11.0 < 1.11.81.11.8
hashicorpvault>= 1.12.0 < 1.12.41.12.4
hashicorpvault_enterprise< 1.10.111.10.11
hashicorpvault_enterprise>= 1.11.0 < 1.11.81.11.8
hashicorpvault_enterprise>= 1.12.0 < 1.12.41.12.4

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
ghsa8.1HIGH
osv8.1HIGH
vendor_redhat4.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.