CVE-2023-0665: 
HashiCorp Vault vulnerability analysis and mitigation

HashiCorp Vault's PKI mount issuer endpoints contained a vulnerability (CVE-2023-0665) that failed to properly authorize access to remove an issuer or modify issuer metadata. The vulnerability was introduced in Vault 1.11.0 and has been fixed in versions 1.13.1, 1.12.5, and 1.11.9. This security issue specifically affected the PKI mount functionality but did not impact public or private key material, trust chains, or certificate issuance (HashiCorp Discussion).

The vulnerability affected a subset of issuer endpoints (/issuer/:ref/{json,der,pem}), while the primary /issuer/:ref endpoint remained properly authenticated. Several unauthenticated endpoints did not correctly authorize inbound requests, allowing modification or deletion of certain metadata fields. The issue was discovered during internal testing by the Vault engineering team (HashiCorp Discussion).

An attacker could potentially modify or delete authority information fields for existing issuers, including crl_distribution_points and oscp_server, which could result in a denial of service for the affected PKI mount. Any deleted issuer CA certificates could be safely re-imported as the integrity and availability of all key material and certificates remained unaffected (HashiCorp Discussion).

Organizations should upgrade to Vault Enterprise versions 1.13.1, 1.12.5, 1.11.9, or newer to remediate this vulnerability. The Vault team maintains documentation and best practices for the PKI secrets engine that should be followed for secure implementation (HashiCorp Discussion).