Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05dnJtLXY5eHYteDN4cs4AA0Sj
HashiCorp Boundary Workers Store Rotated Credentials in Plaintext Even When Key Management Service Configured
HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk. This issue is fixed in version 0.12.0.
Permalink: https://github.com/advisories/GHSA-9vrm-v9xv-x3xrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05dnJtLXY5eHYteDN4cs4AA0Sj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 10 months ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-9vrm-v9xv-x3xr, CVE-2023-0690
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-0690
- https://discuss.hashicorp.com/t/hcsec-2023-03-boundary-workers-store-rotated-credentials-in-plaintext-even-when-key-management-service-configured/49907
- https://github.com/advisories/GHSA-9vrm-v9xv-x3xr
Affected Packages
go:github.com/hashicorp/boundary
Dependent packages: 5Dependent repositories: 3
Downloads:
Affected Version Ranges: >= 0.10.0, < 0.12.0
Fixed in: 0.12.0
All affected versions: 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.11.0, 0.11.1, 0.11.2
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.5, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.16.0