x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-hwc3-3qh6-r4gg #1708
Description
In GitHub Security Advisory GHSA-hwc3-3qh6-r4gg, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| github.com/hashicorp/vault | 1.13.1 | >= 1.13.0, < 1.13.1 |
Cross references:
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-362v-wg5p-64w2 #578 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-c5wc-v287-82pc #590 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-pfmw-vj74-ph8g #611 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-qv95-g3gm-x542 #618 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-23fq-q7hc-993r #620 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-38j9-7pp9-2hjw #623 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6239-28c2-9mrm, CVE-2021-38554 #632 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault/command: GHSA-25xj-89g5-fm6h #778 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9vh5-r4qw-v3vv #816 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-fp52-qw33-mfmw #825 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-7cgv-v83v-rr87 #1021 EFFECTIVELY_PRIVATE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v3hp-mcj5-pg39 #1685 EFFECTIVELY_PRIVATE
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/hashicorp/vault
versions:
- introduced: 1.13.0
fixed: 1.13.1
packages:
- package: github.com/hashicorp/vault
- module: github.com/hashicorp/vault
versions:
- introduced: 1.12.0
fixed: 1.12.5
packages:
- package: github.com/hashicorp/vault
- module: github.com/hashicorp/vault
versions:
- fixed: 1.11.9
packages:
- package: github.com/hashicorp/vault
summary: HashiCorp Vault's PKI mount vulnerable to denial of service
description: HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize
access to remove an issuer or modify issuer metadata, potentially resulting in
denial of service of the PKI mount. This bug did not affect public or private
key material, trust chains or certificate issuance. Fixed in Vault 1.13.1, 1.12.5,
and 1.11.9.
cves:
- CVE-2023-0665
ghsas:
- GHSA-hwc3-3qh6-r4gg
references:
- web: https://nvd.nist.gov/vuln/detail/CVE-2023-0665
- web: https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079/1
- advisory: https://github.com/advisories/GHSA-hwc3-3qh6-r4gg