CVE-2023-5077 HIGH

CVE-2023-5077: Vault's Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets

Vendor Hashicorp
Product Vault
Weakness CWE-266
Published September 28, 2023
Last update September 26, 2024

CVSS base score

7.6/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.

Key dates

02Disclosure timeline

September 28, 2023 CVE published
September 26, 2024 Record updated