CVE-2023-3462: Observable Discrepancy

August 1, 2023

HashiCorp’s Vault and Vault Enterprise is vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

References

discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714
github.com/advisories/GHSA-9v3w-w2jh-4hff
nvd.nist.gov/vuln/detail/CVE-2023-3462

Detect and mitigate CVE-2023-3462 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →