CVE-2023-5077
29.09.2023, 00:15
The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.EnginsightAffected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| hashicorp | vault | 0.10.0 ≤ 𝑥 < 1.13.0 |
| hashicorp | vault | 0.10.0 ≤ 𝑥 < 1.13.0 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| hashicorp | vault | 0.10.0 ≤ 𝑥 < 1.13.0 | ADP |
| hashicorp | vault | 00.10.0 ≤ 𝑥 < 1.13.0 | ADP |
Common Weakness Enumeration
- CWE-266 - Incorrect Privilege AssignmentA product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
- CWE-732 - Incorrect Permission Assignment for Critical ResourceThe product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
References