HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: HashiCorp
Published: 2023-07-31T22:40:23.432Z
Updated: 2024-08-02T06:55:03.557Z
Reserved: 2023-06-29T19:00:52.239Z
Link: CVE-2023-3462
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2023-07-31T23:15:10.360
Modified: 2023-08-04T16:50:04.120
Link: CVE-2023-3462
Redhat