CVE-2023-3462: Vault's LDAP Auth Method Allows for User Enumeration

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-3462

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Vault's LDAP Auth Method Allows for User Enumeration

Source: NVD (National Vulnerability Database)

Vulnerability Description

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

通过差异性导致的信息暴露

Source: NVD (National Vulnerability Database)

Vulnerability Title

HashiCorp Vault 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

HashiCorp Vault是美国HashiCorp公司的一款私钥访问管理工具。 HashiCorp Vault 1.14.1 之前版本、 1.13.5之前版本存在安全漏洞，该漏洞源于使用 LDAP 身份验证方法时，HashiCorp 的 Vault 和 Vault Enterprise 容易受到用户枚举攻击，攻击者利用该漏洞可以提交现有和不存在的 LDAP 用户的请求，并观察 Vault 的响应，以检查该帐户在 LDAP 服务器上是否有效。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
HashiCorp	Vault	1.13.0 ~ 1.13.4	-
HashiCorp	Vault Enterprise	1.13.0 ~ 1.13.4	-

II. Public POCs for CVE-2023-3462

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-3462

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same product: Vault

Same vendor: HashiCorp

Same weakness: CWE-203

V. Comments for CVE-2023-3462

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2023-3462

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-3462

III. Intelligence Information for CVE-2023-3462

IV. Related Vulnerabilities

V. Comments for CVE-2023-3462

Leave a comment