CVE-2023-2121 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2023-2121

CVE-2023-2121

June 09, 2023

Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.

Affected Packages

github.com/hashicorp/vault (GO):

Affected version(s) >=v1.13.0 <v1.13.3

Fix Suggestion:

Update to version v1.13.3

github.com/hashicorp/vault (GO):

Affected version(s) >=v1.12.0 <v1.12.7

Fix Suggestion:

Update to version v1.12.7

Related Resources (4)

https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814

https://github.com/advisories/GHSA-gq98-53rq-qr5h

https://nvd.nist.gov/vuln/detail/CVE-2023-2121

https://github.com/hashicorp/vault

Do you need more information?

CVSS v4

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

EPSS

Base Score:

0.49

Products

Solutions

Resources

Company

Compare

Developer Tools