CVE-2023-5077 — Vault's Google Cloud Secrets Engine Removed Existing IAM Conditions When Creatin

Description

The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.

How to fix CVE-2023-5077

To remediate CVE-2023-5077, upgrade the affected package to a fixed version below.

Bitnami/vault—upgrade to 1.13.0 or later
—upgrade to 1.13.0 or later
—upgrade to 1.13.0 or later

Is CVE-2023-5077 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 0.10.0, < 1.13.0
from 0, < 1.13.0
from 0, < 1.13.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

References (4)

ADVISORYgithub.com/advisories/GHSA-86c6-3g63-5w64
ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-5077
PATCHgithub.com/hashicorp/vault
WEBdiscuss.hashicorp.com/t/hcsec-2023-30-vault-s-google-cloud-secrets-engine-removed-existing-iam-conditions-when-creating-updating-rolesets/58654