Lucene search

K
osvGoogleOSV:BIT-VAULT-2023-2197
HistoryMar 06, 2024 - 11:09 a.m.

BIT-vault-2023-2197

2024-03-0611:09:21
Google
osv.dev
6
padding oracle attack
hsm
encryption mechanisms
cipher text interception
root key derivation
software vulnerability

CVSS3

2.5

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

3.7

Confidence

High

EPSS

0

Percentile

14.0%

HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with theย CKM_AES_CBC_PAD orย CKM_AES_CBC encryption mechanisms.ย An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vaultโ€™s root key. Fixed in 1.13.2

CVSS3

2.5

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

3.7

Confidence

High

EPSS

0

Percentile

14.0%