CVE-2023-3462: 
HashiCorp Vault vulnerability analysis and mitigation

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method (CVE-2023-3462). The vulnerability allows unauthenticated users to potentially enumerate valid accounts in the configured LDAP system by observing response errors when querying usernames. This vulnerability affects versions 1.13.0 through 1.14.0 and 1.13.4, and has been fixed in versions 1.14.1 and 1.13.5 (HashiCorp Advisory).

The vulnerability exists in the LDAP authentication method implementation where an attacker can submit requests for both existing and non-existing LDAP users and observe the differences in Vault's responses to determine if an account is valid on the LDAP server. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that it can be exploited over the network with low attack complexity and requires no privileges or user interaction (NVD).

The vulnerability allows attackers to perform user enumeration against the LDAP directory through Vault's authentication mechanism. This could enable attackers to identify valid usernames in the LDAP system, which could be used as a stepping stone for further attacks such as password spraying or brute force attempts (HashiCorp Advisory).

The primary mitigation is to upgrade to Vault version 1.14.1, 1.13.5, or newer. HashiCorp recommends that customers evaluate the risk associated with this issue and consider upgrading to the fixed versions. General guidance and version-specific upgrade notes can be found in the Vault upgrade documentation (HashiCorp Advisory).