HashiCorp Vault TOTP Secrets Engine Code Reuse Vulnerability

A code reuse vulnerability has been identified in the TOTP Secrets Engine of HashiCorp Vault and Vault Enterprise. This issue allows for the reuse of TOTP codes within their validity period by appending whitespace, exploiting a lack of normalization in the code validation process. The vulnerability affects Vault Community Edition versions prior to 1.20.1 and Vault Enterprise versions prior to 1.20.1, 1.19.6, 1.18.11, 1.16.22, and 1.15.15.

Impact

Exploitation of this vulnerability allows for the reuse of TOTP codes, potentially bypassing security measures that rely on the uniqueness of these codes within their validity period.

Remediation

Users are advised to upgrade to Vault Community Edition 1.20.1 or Vault Enterprise 1.20.1, 1.19.7, 1.18.12, or 1.16.23. General upgrade guidance is available in the 'Upgrading Vault' documentation.