CVE-2023-3462
User Enumeration vulnerability in vault (Go)
What is CVE-2023-3462 About?
HashiCorp Vault and Vault Enterprise contain a user enumeration vulnerability, allowing attackers to determine valid usernames. This passively aids brute-force or credential stuffing attacks. The vulnerability is relatively easy to exploit, as it likely involves observing responses when attempting logins.
Affected Software
- github.com/hashicorp/vault
- <1.13.5
- >1.14.0, <1.14.1
Technical Details
The user enumeration vulnerability in HashiCorp Vault and Vault Enterprise arises from discrepancies in the responses returned by authentication mechanisms when provided with valid versus invalid usernames. An attacker can craft requests (e.g., login attempts) with various usernames and observe subtle differences in error messages, response timings, or status codes. These differences, even if minimal, can be used to distinguish whether a username is valid or not, without needing the correct password. This effectively allows an attacker to build a list of valid users, which significantly narrows down the target space for subsequent brute-force, password spraying, or credential stuffing attacks.
What is the Impact of CVE-2023-3462?
Successful exploitation may allow attackers to identify valid user accounts, facilitate brute-force attacks, aid in social engineering, and increase the likelihood of unauthorized access.
What is the Exploitability of CVE-2023-3462?
Exploitation of this user enumeration vulnerability is generally simple. It typically involves sending authentication requests (e.g., login attempts) with various usernames and observing the server's response. The attack is remote, as it targets the authentication endpoints. No prior authentication is required to perform the enumeration itself. No special privileges are needed. The prerequisites are simply the ability to send requests to the Vault's authentication interface. There are no specific technical constraints mentioned. The risk of exploitation increases when Vault authentication endpoints are publicly exposed, allowing an attacker to systematically test usernames and gather valid accounts, which can then be used in more targeted attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-3462?
Available Upgrade Options
- github.com/hashicorp/vault
- <1.13.5 → Upgrade to 1.13.5
- github.com/hashicorp/vault
- >1.14.0, <1.14.1 → Upgrade to 1.14.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714
- https://github.com/hashicorp/vault
- https://osv.dev/vulnerability/GHSA-9v3w-w2jh-4hff
- https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714
- https://nvd.nist.gov/vuln/detail/CVE-2023-3462
- https://github.com/advisories/GHSA-9v3w-w2jh-4hff
What are Similar Vulnerabilities to CVE-2023-3462?
Similar Vulnerabilities: CVE-2023-46726 , CVE-2023-45733 , CVE-2023-4357 , CVE-2023-37903 , CVE-2023-36055
