CVE-2023-25000

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-25000

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-25000.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-25000

Aliases

Related

Withdrawn

2024-05-08T06:52:07.663985Z

Published

2023-03-30T01:15:07Z

Modified

2024-09-11T06:13:13.497174Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

References

Affected packages

Git / github.com/hashicorp/vault

Affected ranges

Type: GIT
Repo: https://github.com/hashicorp/vault
Events: Introduced

558abfa75702b5dab4c98e86b802fb9aef43b0eb

Fixed

acc381a27bf365353b1b325838f7f1c273175788

Introduced

a4cf0dc4437de35fce4860857b64569d092a9b5a

Affected versions

v1.*

v1.12.0

v1.12.1

v1.12.2

v1.12.3

v1.12.4