Lucene search
HashiCorpCVELIST:CVE-2023-4680HistorySep 14, 2023 - 11:06 p.m.
CVE-2023-4680 Vault's Transit Secrets Engine Allowed Nonce Specified without Convergent Encryption
2023-09-1423:06:24
CWE-20
HashiCorp
raw.githubusercontent.com
3
hashicorp
vault
cve-2023-4680
nonce
vulnerability
fixed
transit engine
convergent encryption
offline attack
HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.
Related
prion
prion
Design/Logic Flaw
2023-09-15 00:15:00
cgr
cgr
CVE-2023-4680 vulnerabilities
2024-05-19 03:07:16
cve
cve
CVE-2023-4680
2023-09-15 00:15:07
alpinelinux
alpinelinux
CVE-2023-4680
2023-09-15 00:15:07
osv
osv
HashiCorp Vault Improper Input Validation vulnerability
2023-09-15 00:30:29
BIT-vault-2023-4680
2024-03-06 11:08:32
CVE-2023-4680
2023-09-15 00:15:07
wolfi
wolfi
CVE-2023-4680 vulnerabilities
2024-06-01 21:07:39
github
github
HashiCorp Vault Improper Input Validation vulnerability
2023-09-15 00:30:29
veracode
veracode
Improper Input Validation
2023-09-20 06:14:59
ibm
ibm
Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOps
2023-10-25 20:24:23