Home > Vulnerability Database > CVE-2023-25000

Mend.io Vulnerability Database

CVE-2023-25000

Good to know:

Date: March 29, 2023

HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

Language: Go

Severity Score

5.0

Related Resources (7)

Url: https://security.netapp.com/advisory/ntap-20230526-0008/

Url: https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078

Url: https://github.com/hashicorp/vault/pull/19495

Url: https://github.com/hashicorp/vault

Url: https://security.netapp.com/advisory/ntap-20230526-0008

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-25000

Url: https://www.mend.io/vulnerability-database/CVE-2023-25000

Severity Score

5.0

Weakness Type (CWE)

Observable Discrepancy

CWE-203

Observable Timing Discrepancy

CWE-208

Top Fix

Upgrade Version

Upgrade to version github.com/hashicorp/vault - v1.11.9;github.com/hashicorp/vault - v1.12.5;github.com/hashicorp/vault - v1.13.1

Learn More

CVSS v3.1

Base Score:	5.0
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-25000

Good to know:

Date: March 29, 2023

Language: Go

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?