CVE-2023-3462

MEDIUM

HashiCorp Vault < 1.13.5 - User Enumeration via LDAP Auth Method

Title source: llm

Description

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

References (1)

Core 1

Core References

Vendor Advisory

https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714

Scores

CVSS v3 5.3

EPSS 0.0097

EPSS Percentile 76.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-203

Status published

Products (3)

hashicorp/vault 1.14.0 (2 CPE variants)

hashicorp/vault 0 - 1.13.5Go

hashicorp/vault 1.13.0 - 1.13.5 (2 CPE variants)

Published Jul 31, 2023

Tracked Since Feb 18, 2026