GitHub Advisory DatabaseGHSA-8449-7GC2-PWRPHashiCorp Consul Template could reveal Vault secret contents in error messages
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
52.5%
In HashiCorp Consul Template through version 0.29.1, invalid templates could inadvertently reveal the contents of Vault secret in errors returned by the *template.Template.Execute 5 method, when given a template using Vault secret contents incorrectly. This method has been updated to redact Vault secrets when creating an error string, making it safe to log the error… This issue was fixed in version 0.29.2.
Affected configurations
References
discuss.hashicorp.com/t/hsec-2022-16-consul-template-may-expose-vault-secrets-when-processing-invalid-input/43215
github.com/advisories/GHSA-8449-7gc2-pwrp
github.com/hashicorp/consul-template/commit/d6a6f4af219c28e67d847ba0e0b2bea8f5bb9076
nvd.nist.gov/vuln/detail/CVE-2022-38149
pkg.go.dev/vuln/GO-2022-0980
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
52.5%