Lucene search

K
alpinelinuxAlpine Linux Development TeamALPINE:CVE-2023-4680
HistorySep 15, 2023 - 12:15 a.m.

CVE-2023-4680

2023-09-1500:15:07
Alpine Linux Development Team
security.alpinelinux.org
5
hashicorp vault
vault enterprise
transit secrets engine
authorized users
convergent encryption
offline attack
ciphertext
authentication subkey
arbitrary nonces
unix

0.0005 Low

EPSS

Percentile

17.9%

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

OSVersionArchitecturePackageVersionFilename
Alpine3.18-communitynoarchvault= 1.13.5-r3UNKNOWN

0.0005 Low

EPSS

Percentile

17.9%