CVE-2023-5077
published 2023-09-29CVE-2023-5077: The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.44%
34.9th percentile
The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 0 < 1.13.0 | 1.13.0 |
| hashicorp | vault | >= 0.10.0 < 1.13.0 | 1.13.0 |
| hashicorp | vault_enterprise | >= 0.10.0 < 1.13.0 | 1.13.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vendor_redhat7.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault
osv·2024-08-21
CVE-2023-5077 Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault
Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault
Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault
OSV
Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability
osv·2023-09-29
CVE-2023-5077 [HIGH] Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability
Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability
The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.
GHSA
Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability
ghsa·2023-09-29
CVE-2023-5077 [HIGH] CWE-266 Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability
Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability
The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.
Red Hat
hashicorp/vault: Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets
vendor_redhat·2023-09-29·CVSS 7.6
CVE-2023-5077 [HIGH] CWE-732 hashicorp/vault: Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets
hashicorp/vault: Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets
The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.
A flaw was found in HashiCorp Vault and Vault Enterprise. This issue could allow a remote authenticated attacker to bypass security restrictions, due to a flaw in the Google Cloud secrets engine when creating or updating rolesets. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the IAM policy.
Package: openshift4/topology-aware-lifecycle-manager-rhel8-operator (Red Hat OpenShift Container Platform 4) - Not affected
Package: ocs4/cephcsi-rhel8 (Red Hat
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://discuss.hashicorp.com/t/hcsec-2023-30-vault-s-google-cloud-secrets-engine-removed-existing-iam-conditions-when-creating-updating-rolesets/58654https://discuss.hashicorp.com/t/hcsec-2023-30-vault-s-google-cloud-secrets-engine-removed-existing-iam-conditions-when-creating-updating-rolesets/58654
2023-09-29
Published