CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
EPSS
Percentile
20.6%
A flaw was found in HashiCorp Vault and Vault Enterprise. This issue could allow a remote authenticated attacker to bypass security restrictions, due to a flaw in the Google Cloud secrets engine when creating or updating rolesets. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the IAM policy.
bugzilla.redhat.com/show_bug.cgi?id=2241980
discuss.hashicorp.com/t/hcsec-2023-30-vault-s-google-cloud-secrets-engine-removed-existing-iam-conditions-when-creating-updating-rolesets/58654/1
github.com/advisories/GHSA-86c6-3g63-5w64
nvd.nist.gov/vuln/detail/CVE-2023-5077
www.cve.org/CVERecord?id=CVE-2023-5077