GSA_kwCzR0hTQS04NDQ5LTdnYzItcHdycM4AAuFF

High EPSS: 0.00321% (0.54502 Percentile) EPSS:

Permalink JSON

HashiCorp Consul Template could reveal Vault secret contents in error messages

Affected Packages	Affected Versions	Fixed Versions
go:github.com/hashicorp/consul-template	>= 0.29.0, < 0.29.2, >= 0.28.0, < 0.28.3, < 0.27.3	0.29.2, 0.28.3, 0.27.3
121 Dependent packages 655 Dependent repositories Affected Version Ranges All affected versions 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.5, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.18.5, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.19.4, 0.19.5, 0.20.0, 0.20.1, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.22.0, 0.22.1, 0.23.0, 0.24.0, 0.24.1, 0.25.0, 0.25.1, 0.25.2, 0.26.0, 0.27.0, 0.27.1, 0.27.2, 0.28.0, 0.28.1, 0.28.2, 0.29.0, 0.29.1 All unaffected versions 0.27.3, 0.28.3, 0.29.2, 0.29.3, 0.29.4, 0.29.5, 0.29.6, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.37.1, 0.37.2, 0.37.3, 0.37.4, 0.37.5, 0.37.6, 0.38.0, 0.38.1, 0.39.0, 0.39.1, 0.40.0, 0.41.0, 0.41.1

In HashiCorp Consul Template through version 0.29.1, invalid templates could inadvertently reveal the contents of Vault secret in errors returned by the *template.Template.Execute 5 method, when given a template using Vault secret contents incorrectly. This method has been updated to redact Vault secrets when creating an error string, making it safe to log the error.. This issue was fixed in version 0.29.2.

References:

Identifiers

GHSA-8449-7gc2-pwrp

CVE-2022-38149

Risk

Severity

High

EPSS

EPSS Percentage: 0.00321

EPSS Percentile: 0.54502

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/hashicorp/consul-template

Date and time

Published

almost 3 years ago

Updated

about 1 year ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories