Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-2121

Опубликовано: 09 июн. 2023
Источник: redhat
CVSS3: 4.3
EPSS Низкий

Описание

Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.

A flaw was found in HashiCorp Vault and Vault Enterprise, where they are vulnerable to Cross-site scripting caused by improper validation of user-supplied input by the key-value v2 (kv-v2) diff viewer. A remote, authenticated attacker can inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site once the page is viewed. This flaw allows an attacker to steal the victim's cookie-based authentication credentials.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Logging Subsystem for Red Hat OpenShiftopenshift-logging/logging-loki-rhel8Not affected
Red Hat OpenShift Container Platform 4openshift4/ose-installerWill not fix
Red Hat OpenShift Container Platform 4openshift4/topology-aware-lifecycle-manager-rhel8-operatorNot affected
Red Hat Openshift Container Storage 4ocs4/cephcsi-rhel8Out of support scope
Red Hat Openshift Container Storage 4ocs4/mcg-rhel8-operatorOut of support scope
Red Hat Openshift Container Storage 4ocs4/ocs-rhel8-operatorOut of support scope
Red Hat Openshift Container Storage 4ocs4/rook-ceph-rhel8-operatorOut of support scope
Red Hat Openshift Data Foundation 4odf4/cephcsi-rhel9Affected
Red Hat Openshift Data Foundation 4odf4/mcg-rhel9-operatorAffected
Red Hat Openshift Data Foundation 4odf4/ocs-client-rhel9-operatorAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=2214237hashicorp: html injection into web ui

EPSS

Процентиль: 68%
0.00587
Низкий

4.3 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2023-2121

CVSS3: 4.3
nvd
около 2 лет назад

Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.

github логотип

GHSA-gq98-53rq-qr5h

CVSS3: 4.3
github
около 2 лет назад

Hashicorp Vault vulnerable to Cross-site Scripting

fstec логотип

BDU:2025-06183

CVSS3: 5.4
fstec
около 2 лет назад

Уязвимость веб-интерфейса платформ для архивирования корпоративной информации HashiCorp Vault и Vault Enterprise, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

redos логотип

ROS-20250526-06

CVSS3: 8.1
redos
24 дня назад

Множественные уязвимости vault

EPSS

Процентиль: 68%
0.00587
Низкий

4.3 Medium

CVSS3