x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-wmg5-g953-qqfw #1900
Description
In GitHub Security Advisory GHSA-wmg5-g953-qqfw, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| github.com/hashicorp/vault | 1.12.4 | >= 1.12.0, < 1.12.4 |
Cross references:
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-362v-wg5p-64w2 #578 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-c5wc-v287-82pc #590 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-pfmw-vj74-ph8g #611 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-qv95-g3gm-x542 #618 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-23fq-q7hc-993r #620 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-38j9-7pp9-2hjw #623 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6239-28c2-9mrm, CVE-2021-38554 #632 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault/command: GHSA-25xj-89g5-fm6h #778 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9vh5-r4qw-v3vv #816 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-fp52-qw33-mfmw #825 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-7cgv-v83v-rr87 #1021 EFFECTIVELY_PRIVATE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v3hp-mcj5-pg39 #1685 EFFECTIVELY_PRIVATE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-hwc3-3qh6-r4gg #1708 EFFECTIVELY_PRIVATE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gq98-53rq-qr5h #1849 NOT_IMPORTABLE
- Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-vq4h-9ghm-qmrr #1709
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/hashicorp/vault
versions:
- introduced: 1.12.0
fixed: 1.12.4
vulnerable_at: 1.12.3
packages:
- package: github.com/hashicorp/vault
- module: github.com/hashicorp/vault
versions:
- introduced: 1.11.0
fixed: 1.11.8
vulnerable_at: 1.11.7
packages:
- package: github.com/hashicorp/vault
- module: github.com/hashicorp/vault
versions:
- fixed: 1.10.11
vulnerable_at: 1.10.10
packages:
- package: github.com/hashicorp/vault
summary: |-
Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a
Destroy Operation
description: |-
When using the Vault and Vault Enterprise (Vault) approle auth method, any
authenticated user with access to the
`/auth/approle/role/:role_name/secret-id-accessor/destroy` endpoint can destroy
the secret ID of any other role by providing the secret ID accessor. This
vulnerability, CVE-2023-24999, has been fixed in Vault 1.13.0, 1.12.4, 1.11.8,
1.10.11 and above.
cves:
- CVE-2023-24999
ghsas:
- GHSA-wmg5-g953-qqfw
references:
- web: https://nvd.nist.gov/vuln/detail/CVE-2023-24999
- web: https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305
- advisory: https://github.com/advisories/GHSA-wmg5-g953-qqfw