CVE-2023-25000

🗓️ 30 Mar 2023 00:17:46Reported by HashiCorpType

HashiCorp Vault's Shamir's secret sharing implementation vulnerable to cache-timing attacks, allowing reduction in brute force search space. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9

Reporter	Title	Published	Views	Family All 26
IBM Security Bulletins	Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to an Observable Timing Discrepancy in Vault (CVE-2023-25000)	4 Apr 202521:24	–	ibm
Chainguard	CVE-2023-25000 vulnerabilities	30 Mar 202301:15	–	cgr
CNNVD	HashiCorp Vault 安全漏洞	30 Mar 202300:00	–	cnnvd
Cvelist	CVE-2023-25000 Vault Vulnerable to Cache-Timing Attacks During Seal and Unseal Operations	30 Mar 202300:17	–	cvelist
EUVD	EUVD-2023-1119	3 Oct 202520:07	–	euvd
Github Security Blog	HashiCorp Vault's implementation of Shamir's secret sharing vulnerable to cache-timing attacks	30 Mar 202303:30	–	github
NVD	CVE-2023-25000	30 Mar 202301:15	–	nvd
OSV	BIT-VAULT-2023-25000 Vault Vulnerable to Cache-Timing Attacks During Seal and Unseal Operations	6 Mar 202411:09	–	osv
OSV	CGA-474C-XQHF-2V88	15 Jul 202421:51	–	osv
OSV	CGA-6JC3-C8PF-FWPG	6 Jun 202412:24	–	osv

NVD

Node

hashicorp vaultRange<1.11.9-

hashicorp vaultRange<1.11.9enterprise

hashicorp vaultRange1.12.0–1.12.5-

hashicorp vaultRange1.12.0–1.12.5enterprise

hashicorp vaultRange1.13.0–1.13.1-

hashicorp vaultRange1.13.0–1.13.1enterprise

[
  {
    "vendor": "HashiCorp",
    "product": "Vault",
    "platforms": [
      "Windows",
      "MacOS",
      "Linux",
      "x86",
      "ARM",
      "64 bit",
      "32 bit"
    ],
    "repo": "https://github.com/hashicorp/vault",
    "versions": [
      {
        "status": "affected",
        "version": "1.13.0",
        "lessThan": "1.13.1",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "1.12.0",
        "lessThan": "1.12.5",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "1.11.0",
        "lessThan": "1.11.9",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "0",
        "lessThan": "1.11.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "HashiCorp",
    "product": "Vault Enterprise",
    "platforms": [
      "Windows",
      "MacOS",
      "Linux",
      "x86",
      "ARM",
      "64 bit",
      "32 bit"
    ],
    "versions": [
      {
        "status": "affected",
        "version": "1.13.0",
        "lessThan": "1.13.1",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "1.12.0",
        "lessThan": "1.12.5",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "1.11.0",
        "lessThan": "1.11.9",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "0",
        "lessThan": "1.11.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
discuss	www.discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078
security	www.security.netapp.com/advisory/ntap-20230526-0008/

21 Nov 2024 07:48Current

4.9Medium risk

Vulners AI Score4.9

CVSS 3.14.7 - 5

EPSS0.00046

SSVC