← Back

CVE-2023-25000

nvd nist
Published: Mar 30, 2023Modified: Nov 21, 2024

JSON object

Loading...
4.7
Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Exploitability: 1.0 / Impact: 3.6
Source: NVD

Description

HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

Affected (6)

Products: Hashicorp: Vault
Hashicorp
1 product
Vault
Configuration A
6 vulnerable
Vulnerable SoftwareAffected Versions
Hashicorp
Vault
Before 1.11.9
Vault
From 1.12.0 to 1.12.5
Vault
From 1.13.0 to 1.13.1
Vault
Before 1.11.9
Vault
From 1.12.0 to 1.12.5
Vault
From 1.13.0 to 1.13.1

Related CWEs

CWE-203
Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
CWE-208
Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References (4)

Source: security@hashicorp.com
Issue TrackingPatchVendor Advisory
Source: security@hashicorp.com
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingPatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.