CVE-2023-5077: 
HashiCorp Vault vulnerability analysis and mitigation

The Vault and Vault Enterprise ('Vault') Google Cloud secrets engine vulnerability (CVE-2023-5077) was discovered affecting versions since 0.10. The vulnerability involved the failure to preserve existing Google Cloud IAM Conditions when creating or updating rolesets. This security issue was officially disclosed on September 28, 2023, and was subsequently fixed in Vault version 1.13.0 (HashiCorp Advisory, NVD).

The vulnerability stems from a flaw in the Google Cloud secrets engine's handling of IAM Conditions. When creating or updating a roleset, the system failed to copy existing conditions to the newly-created IAM policy binding object. This resulted in existing IAM conditions no longer being enforced for that roleset. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST NVD, indicating significant severity (NVD).

The vulnerability could lead to incorrect privilege enforcement as existing IAM conditions were not preserved during roleset operations. This could potentially result in broader access than intended, as the security conditions that were supposed to restrict access to resources were not being properly maintained (HashiCorp Advisory).

HashiCorp has addressed this vulnerability in Vault version 1.13.0 and subsequent releases. Users are advised to upgrade to Vault 1.13.0 or newer versions to remediate this issue. The fix has been inherited by Vault 1.14 and 1.15 releases (HashiCorp Advisory).