Lucene search

GitHub Advisory DatabaseGHSA-GQ98-53RQ-QR5H

HistoryJun 09, 2023 - 6:30 p.m.

Hashicorp Vault vulnerable to Cross-site Scripting

2023-06-0918:30:34

CWE-79

GitHub Advisory Database

github.com

hashicorp vault

cross-site scripting

html injection

vulnerability

cve-2023-2121

security

software

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

17.7%

JSON

Vault and Vault Enterprise’s (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.

Affected configurations

Vulners

Node

hashicorpvaultRange<1.13.3

hashicorpvaultRange<1.12.7

hashicorpvaultRange<1.11.11

CPENameOperatorVersion
github.com/hashicorp/vaultlt1.13.3
github.com/hashicorp/vaultlt1.12.7
github.com/hashicorp/vaultlt1.11.11

Name	Operator	Version
github.com/hashicorp/vault	lt	1.13.3
github.com/hashicorp/vault	lt	1.12.7
github.com/hashicorp/vault	lt	1.11.11

References

discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814

github.com/advisories/GHSA-gq98-53rq-qr5h

nvd.nist.gov/vuln/detail/CVE-2023-2121