CVE-2023-3462 MEDIUM

CVE-2023-3462: Vault's LDAP Auth Method Allows for User Enumeration

Vendor Hashicorp
Product Vault
Weakness CWE-203
Published July 31, 2023
Last update October 21, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

Key dates

02Disclosure timeline

July 31, 2023 CVE published
October 21, 2024 Record updated