Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS05dnJtLXY5eHYteDN4cs4AA0Sj

HashiCorp Boundary Workers Store Rotated Credentials in Plaintext Even When Key Management Service Configured

HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk. This issue is fixed in version 0.12.0.

Permalink: https://github.com/advisories/GHSA-9vrm-v9xv-x3xr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05dnJtLXY5eHYteDN4cs4AA0Sj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago


CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Percentage: 0.00044
EPSS Percentile: 0.13516

Identifiers: GHSA-9vrm-v9xv-x3xr, CVE-2023-0690
References: Blast Radius: 3.4

Affected Packages

go:github.com/hashicorp/boundary
Dependent packages: 5
Dependent repositories: 3
Downloads:
Affected Version Ranges: >= 0.10.0, < 0.12.0
Fixed in: 0.12.0
All affected versions: 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.11.0, 0.11.1, 0.11.2
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.5, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.17.0, 0.17.1, 0.17.2, 0.18.0, 0.18.1