When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the `/auth/approle/role/:role_name/secret-id-accessor/destroy` endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999, has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.

Affected Packages

Go github.com/hashicorp/vault

Affected versions: 0 (fixed in 1.10.11)

Go github.com/hashicorp/vault

Affected versions: 1.11.0 (fixed in 1.11.8)

Go github.com/hashicorp/vault

Affected versions: 1.12.0 (fixed in 1.12.4)

Related CVEs

CVE-2023-24999

Key Information

GHSA ID

GHSA-wmg5-g953-qqfw

Published

July 6, 2023 7:24 PM

Last Modified

July 6, 2023 9:51 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/hashicorp/vault

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 7, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.