{
  "threat_severity" : "Moderate",
  "public_date" : "2023-07-31T00:00:00Z",
  "bugzilla" : {
    "description" : "Hashicorp/vault: Vault’s LDAP Auth Method Allows for User Enumeration",
    "id" : "2228020",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2228020"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-203",
  "details" : [ "HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.", "A flaw was found in the HashiCorp Vault. The Vault and Vault Enterprise (“Vault”) LDAP auth method allows unauthenticated users to potentially enumerate valid accounts in the configured LDAP system by observing the response error when querying usernames." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.16",
    "release_date" : "2024-10-09T00:00:00Z",
    "advisory" : "RHSA-2024:7599",
    "cpe" : "cpe:/a:redhat:openshift:4.16::el9",
    "package" : "openshift4/ose-installer-rhel9:v4.16.0-202410011135.p0.ge8f8bf9.assembly.stream.el9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.17",
    "release_date" : "2024-10-16T00:00:00Z",
    "advisory" : "RHSA-2024:7922",
    "cpe" : "cpe:/a:redhat:openshift:4.17::el9",
    "package" : "openshift4/ose-installer-rhel9:v4.17.0-202410090834.p0.gec752c1.assembly.stream.el9"
  }, {
    "product_name" : "RHODF-4.14-RHEL-9",
    "release_date" : "2023-11-08T00:00:00Z",
    "advisory" : "RHSA-2023:6832",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.14::el9",
    "package" : "odf4/rook-ceph-rhel9-operator:v4.14.0-71"
  }, {
    "product_name" : "RHODF-4.15-RHEL-9",
    "release_date" : "2024-03-19T00:00:00Z",
    "advisory" : "RHSA-2024:1383",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.15::el9",
    "package" : "odf4/odf-rhel9-operator:v4.15.0-19"
  } ],
  "package_state" : [ {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/logging-loki-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/topology-aware-lifecycle-manager-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ocs4/cephcsi-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ocs4/mcg-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ocs4/ocs-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "ocs4/rook-ceph-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/cephcsi-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/mcg-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/ocs-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/odf-multicluster-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/odr-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-3462\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3462\nhttps://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714" ],
  "name" : "CVE-2023-3462",
  "csaw" : false
}