{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-0620", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2023-02-01T21:59:23.556Z", "datePublished": "2023-03-30T00:28:13.301Z", "dateUpdated": "2024-08-02T05:17:50.188Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2023-03-30T18:41:52.858Z"}, "title": "Vault Vulnerable to SQL Injection When Configuring the Microsoft SQL Database Storage Backend", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "affected": [{"vendor": "HashiCorp", "product": "Vault", "platforms": ["Windows", "MacOS", "Linux", "x86", "ARM", "64 bit", "32 bit"], "repo": "https://github.com/hashicorp/vault", "versions": [{"lessThan": "1.13.1", "status": "affected", "version": "1.13.0", "versionType": "semver"}, {"lessThan": "1.12.5", "status": "affected", "version": "1.12.0", "versionType": "semver"}, {"lessThan": "1.11.9", "status": "affected", "version": "0.8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "HashiCorp", "product": "Vault Enterprise", "platforms": ["Windows", "MacOS", "Android", "x86", "ARM", "64 bit", "32 bit"], "versions": [{"lessThan": "1.13.1", "status": "affected", "version": "1.13.0", "versionType": "semver"}, {"lessThan": "1.12.5", "status": "affected", "version": "1.12.0", "versionType": "semver"}, {"lessThan": "1.11.9", "status": "affected", "version": "0.8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "HashiCorp Vault and Vault Enterprise versions 0.8.0 through 1.13.1 are vulnerable to an SQL injection attack when configuring the Microsoft SQL (MSSQL) Database Storage Backend. When configuring the MSSQL plugin through the local, certain parameters are not sanitized when passed to the user-provided MSSQL database. An attacker may modify these parameters to execute a malicious SQL command.\n\nThis issue is fixed in versions 1.13.1, 1.12.5, and 1.11.9.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>HashiCorp Vault and Vault Enterprise versions 0.8.0 through 1.13.1 are vulnerable to an SQL injection attack when configuring the Microsoft SQL (MSSQL) Database Storage Backend. When configuring the MSSQL plugin, certain parameters are not sanitized when passed to the user-provided MSSQL database. An attacker may modify these parameters to execute a malicious SQL command.</p>This issue is fixed in versions 1.13.1, 1.12.5, and 1.11.9."}]}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080/1"}, {"url": "https://security.netapp.com/advisory/ntap-20230526-0008/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Yuval Ostrovsky, Gal Goldshtein, Daniel Abeles of Oxeye", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"advisory": "HCSEC-2023-12", "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:17:50.188Z"}, "title": "CVE Program Container", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080/1", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230526-0008/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "matchCriteriaId": "2C565DBD-95F4-4951-A029-93ABE5315740", "versionEndExcluding": "1.11.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "80EB9F32-09A4-469C-AF76-1AE3137EAC1B", "versionEndExcluding": "1.11.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "matchCriteriaId": "446F872F-F64C-44CA-85BC-144FCFBCFA8B", "versionEndExcluding": "1.12.5", "versionStartIncluding": "1.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "71A02FE6-C8D4-455D-A71A-C8353E1ECB7C", "versionEndExcluding": "1.12.5", "versionStartIncluding": "1.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "matchCriteriaId": "81280166-3DF7-4867-95E9-A7AFB9A12CE7", "versionEndExcluding": "1.13.1", "versionStartIncluding": "1.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C56E203C-1E18-4395-B500-B6EA695B16C0", "versionEndExcluding": "1.13.1", "versionStartIncluding": "1.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HashiCorp Vault and Vault Enterprise versions 0.8.0 through 1.13.1 are vulnerable to an SQL injection attack when configuring the Microsoft SQL (MSSQL) Database Storage Backend. When configuring the MSSQL plugin through the local, certain parameters are not sanitized when passed to the user-provided MSSQL database. An attacker may modify these parameters to execute a malicious SQL command.\n\nThis issue is fixed in versions 1.13.1, 1.12.5, and 1.11.9."}], "id": "CVE-2023-0620", "lastModified": "2023-05-26T20:15:30.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 5.9, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2023-03-30T01:15:07.380", "references": [{"source": "security@hashicorp.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080/1"}, {"source": "security@hashicorp.com", "url": "https://security.netapp.com/advisory/ntap-20230526-0008/"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:1326", "cpe": "cpe:/a:redhat:openshift:4.13::el8", "package": "openshift4/ose-installer:v4.13.0-202305091542.p0.g44db7b2.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.13", "release_date": "2023-05-17T00:00:00Z"}, {"advisory": "RHSA-2023:5006", "cpe": "cpe:/a:redhat:openshift:4.14::el8", "package": "openshift4/ose-installer:v4.14.0-202310201027.p0.g03546e5.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.14", "release_date": "2023-10-31T00:00:00Z"}, {"advisory": "RHSA-2023:3742", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.13::el9", "package": "odf4/ocs-rhel9-operator:v4.13.0-67", "product_name": "RHODF-4.13-RHEL-9", "release_date": "2023-06-21T00:00:00Z"}, {"advisory": "RHSA-2023:3742", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.13::el9", "package": "odf4/odf-rhel9-operator:v4.13.0-24", "product_name": "RHODF-4.13-RHEL-9", "release_date": "2023-06-21T00:00:00Z"}], "bugzilla": {"description": "vault: Vault\u2019s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File", "id": "2184663", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184663"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-89", "details": ["HashiCorp Vault and Vault Enterprise versions 0.8.0 through 1.13.1 are vulnerable to an SQL injection attack when configuring the Microsoft SQL (MSSQL) Database Storage Backend. When configuring the MSSQL plugin through the local, certain parameters are not sanitized when passed to the user-provided MSSQL database. An attacker may modify these parameters to execute a malicious SQL command.\nThis issue is fixed in versions 1.13.1, 1.12.5, and 1.11.9.", "A flaw was found in HashiCorp Vault and Vault Enterprise, which are vulnerable to SQL injection. This flaw allows a local authenticated attacker to send specially-crafted SQL statements to the Microsoft SQL (MSSQL) Database Storage Backend, which could allow the attacker to view, add, modify, or delete information in the backend database."], "name": "CVE-2023-0620", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/logging-loki-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/topology-aware-lifecycle-manager-rhel8-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Out of support scope", "package_name": "ocs4/cephcsi-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Out of support scope", "package_name": "ocs4/mcg-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Out of support scope", "package_name": "ocs4/ocs-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Out of support scope", "package_name": "ocs4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/cephcsi-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-multicluster-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odr-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}], "public_date": "2023-03-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-0620\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0620\nhttps://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080"], "threat_severity": "Moderate", "upstream_fix": "and 1.11.9, Vault 1.13.1, Vault 1.12.5"}