CVE-2023-5077 in Vault
Summary
by MITRE • 10/25/2023
The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/21/2025
The vulnerability identified as CVE-2023-5077 affects HashiCorp Vault and Vault Enterprise when utilizing the Google Cloud secrets engine functionality. This issue represents a critical configuration management flaw that impacts how Vault handles Google Cloud Identity and Access Management rolesets. The vulnerability specifically manifests in the Google Cloud secrets engine's inability to maintain existing IAM conditions when performing create or update operations on rolesets, creating a significant security risk for organizations relying on fine-grained access controls within their Google Cloud environments.
The technical flaw stems from Vault's improper handling of IAM condition preservation during roleset operations within the Google Cloud integration. When administrators create or modify rolesets through Vault's Google Cloud secrets engine, the system fails to retain existing IAM conditions that may have been explicitly defined for security purposes. This behavior violates fundamental security principles and can lead to unintended access permissions being granted or existing restrictions being inadvertently removed. The flaw operates at the integration layer between Vault's secret management capabilities and Google Cloud's IAM system, where proper state management should preserve existing security configurations during modification operations.
The operational impact of this vulnerability extends beyond simple permission changes and represents a potential vector for privilege escalation and unauthorized access. Organizations using Vault to manage Google Cloud credentials and access controls may experience situations where existing IAM conditions that were carefully crafted for security compliance are lost during routine roleset updates. This could result in over-privileged access scenarios where users gain broader permissions than intended, or conversely, where legitimate access is inadvertently restricted due to condition removal. The vulnerability particularly affects environments that rely on conditional IAM policies for compliance requirements, audit trails, and least privilege enforcement.
Security implications of this vulnerability align with CWE-284, which addresses improper access control in software systems. The flaw demonstrates poor privilege management and configuration preservation practices that can undermine the security posture of cloud environments. From an attack perspective, this vulnerability could be leveraged by threat actors to exploit existing access control mechanisms or to bypass security controls that were specifically implemented to restrict access based on conditions. The ATT&CK framework would categorize this as a privilege escalation technique, specifically related to access control manipulation and cloud service configuration abuse. Organizations should consider this vulnerability as part of their broader cloud security posture assessment and remediation planning.
The fix implemented in Vault 1.13.0 addresses the root cause by ensuring proper preservation of existing IAM conditions during roleset creation and update operations. This update represents a critical security patch that restores the expected behavior of the Google Cloud secrets engine integration. Organizations should prioritize upgrading to Vault 1.13.0 or later versions to remediate this vulnerability. The patch ensures that when rolesets are modified through Vault's Google Cloud integration, existing IAM conditions are maintained, preserving the intended security controls and access restrictions that were previously established. This remediation aligns with best practices for maintaining configuration integrity in security management systems and prevents the unintended exposure of cloud resources due to improper access control handling.