{"id":"BIT-vault-2023-2121","summary":"Vault’s KV Diff Viewer Allowed for HTML Injection","details":"Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.","aliases":["CVE-2023-2121","GHSA-gq98-53rq-qr5h","GO-2023-1849"],"modified":"2025-05-20T10:02:07.006Z","published":"2024-03-06T11:09:28.191Z","database_specific":{"severity":"Medium","cpes":["cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*","cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*"]},"references":[{"type":"WEB","url":"https://discuss.hashicorp.com/t/hcsec-2023-17-vault-s-kv-diff-viewer-allowed-html-injection/54814"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2121"}],"affected":[{"package":{"name":"vault","ecosystem":"Bitnami","purl":"pkg:bitnami/vault"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.11.11"},{"introduced":"1.12.0"},{"fixed":"1.12.7"},{"introduced":"1.13.0"},{"fixed":"1.13.3"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/vault/BIT-vault-2023-2121.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}],"schema_version":"1.7.3"}