Vault's Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets
CVE-2023-5077

7.5HIGH

Key Information:

Vendor: Hashicorp
Status: Vault; Vault Enterprise
Vendor: CVE Published:; 29 September 2023

Summary

The Google Cloud secrets engine in HashiCorp Vault exhibits a vulnerability where existing IAM Conditions are removed when creating or updating rolesets. This flaw affects the way Vault interacts with Google Cloud IAM, potentially compromising the intended access controls and security configurations. Users are recommended to upgrade to Vault version 1.13.0 or later to mitigate this issue and ensure the preservation of IAM Conditions during roleset management.

Affected Version(s)

Vault 64 bit 0.10.0 < 1.13.0

Vault Enterprise 64 bit 0.10.0 < 1.13.0

References

https://discuss.hashicorp.com/t/hcsec-2023-30-vault-s-goo...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 29, 2023
Vulnerability Reserved
Sep 19, 2023