CVE-2023-5077 Vault's Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets

2023-09-2823:24:28

CWE-732

HashiCorp

www.cve.org

cve-2023-5077

vault

google cloud

iam conditions

rolesets

security issue

fixed issue

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

0.0005 Low

EPSS

Percentile

18.0%

JSON

The Vault and Vault Enterprise (“Vault”) Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.

CNA Affected

[
  {
    "vendor": "HashiCorp",
    "product": "Vault",
    "platforms": [
      "Windows",
      "MacOS",
      "Linux",
      "x86",
      "ARM",
      "64 bit",
      "32 bit"
    ],
    "versions": [
      {
        "lessThan": "1.13.0",
        "status": "affected",
        "version": "0.10.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "HashiCorp",
    "product": "Vault Enterprise",
    "platforms": [
      "Windows",
      "MacOS",
      "Linux",
      "x86",
      "ARM",
      "64 bit",
      "32 bit"
    ],
    "versions": [
      {
        "lessThan": "1.13.0",
        "status": "affected",
        "version": "0.10.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]