x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v84f-6r39-cpfc

[GoVulnBot]

In GitHub Security Advisory GHSA-v84f-6r39-cpfc, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/hashicorp/vault	1.14.3	>= 1.14.0, < 1.14.3

Cross references:

• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-362v-wg5p-64w2 #578 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-c5wc-v287-82pc #590 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-pfmw-vj74-ph8g #611 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-qv95-g3gm-x542 #618 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-23fq-q7hc-993r #620 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-38j9-7pp9-2hjw #623 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6239-28c2-9mrm, CVE-2021-38554 #632 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault/command: GHSA-25xj-89g5-fm6h #778 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9vh5-r4qw-v3vv #816 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-fp52-qw33-mfmw #825 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-7cgv-v83v-rr87 #1021 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v3hp-mcj5-pg39 #1685 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-hwc3-3qh6-r4gg #1708 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gq98-53rq-qr5h #1849 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9mh8-9j64-443f #1897 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-wmg5-g953-qqfw #1900 NOT_IMPORTABLE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9v3w-w2jh-4hff #1986 EFFECTIVELY_PRIVATE
• Module github.com/hashicorp/vault appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-vq4h-9ghm-qmrr #1709

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/hashicorp/vault
      versions:
        - introduced: 1.14.0
          fixed: 1.14.3
      vulnerable_at: 1.14.2
      packages:
        - package: github.com/hashicorp/vault
    - module: github.com/hashicorp/vault
      versions:
        - introduced: 1.13.0
          fixed: 1.13.7
      vulnerable_at: 1.13.6
      packages:
        - package: github.com/hashicorp/vault
    - module: github.com/hashicorp/vault
      versions:
        - introduced: 1.6.0
          fixed: 1.12.11
      vulnerable_at: 1.12.10
      packages:
        - package: github.com/hashicorp/vault
summary: HashiCorp Vault Improper Input Validation vulnerability
description: |-
    HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized
    users to specify arbitrary nonces, even with convergent encryption disabled. The
    encrypt endpoint, in combination with an offline attack, could be used to
    decrypt arbitrary ciphertext and potentially derive the authentication subkey
    when using transit secrets engine without convergent encryption. Introduced in
    1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.
cves:
    - CVE-2023-4680
ghsas:
    - GHSA-v84f-6r39-cpfc
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2023-4680
    - web: https://discuss.hashicorp.com/t/hcsec-2023-28-vault-s-transit-secrets-engine-allowed-nonce-specified-without-convergent-encryption/58249
    - advisory: https://github.com/advisories/GHSA-v84f-6r39-cpfc

[gopherbot]

Change https://go.dev/cl/529256 mentions this issue: data/excluded: batch add 3 excluded reports

[gopherbot]

Change https://go.dev/cl/592762 mentions this issue: data/reports: unexclude 75 reports