Описание
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
A flaw was found in github.com/hashicorp/vault. The Userpass authentication method exhibits a timing vulnerability, allowing an attacker to determine whether a username exists within Vault by measuring response times, and enables potential enumeration of valid usernames. This vulnerability allows a network-based attacker to exploit this side channel to infer user presence without authentication credentials and to discover user accounts without authorization.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| cert-manager Operator for Red Hat OpenShift | cert-manager/cert-manager-operator-rhel9 | Fix deferred | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-acmesolver-rhel9 | Fix deferred | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Fix deferred | ||
| external secrets operator for Red Hat OpenShift - Tech Preview | external-secrets-operator/external-secrets-operator-rhel9 | Fix deferred | ||
| Red Hat Openshift Data Foundation 4 | odf4/cephcsi-rhel9 | Will not fix | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-cli-rhel9 | Will not fix | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-rhel9-operator | Will not fix | ||
| Red Hat Openshift Data Foundation 4 | odf4/odf-cli-rhel9 | Will not fix | ||
| Red Hat Trusted Artifact Signer | rhtas/client-server-rhel9 | Will not fix | ||
| Red Hat Trusted Artifact Signer | rhtas/fulcio-rhel9 | Will not fix |
Показывать по
Дополнительная информация
Статус:
3.7 Low
CVSS3
Связанные уязвимости
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users
Уязвимость функции CompareHashAndPassword платформ для архивирования корпоративной информации Vault Enterprise и Vault Community Edition, связанная с раскрытием информации из-за несоответствия во времени, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
3.7 Low
CVSS3