Improper Authorization

CVE-2023-0665

Medium

6.5/10

Summary

HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. This issue affects github.com/hashicorp/vault versions 1.11.x prior to 1.11.9, 1.12.x prior to 1.12.5 and 1.13.x prior to 1.13.1.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: LOW

CWE-285 - Improper Authorization

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References

Advisory
Advisory
Issue
Pull request

Advisory Timeline

Published Mar 30, 2023

Improper Authorization

CVE-2023-0665

Summary

CWE-285 - Improper Authorization

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS