CVE-2023-0690

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-0690

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-0690.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-0690

Aliases

Published

2023-02-08T19:15:11Z

Modified

2025-02-14T11:40:27.739617Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk.

This issue is fixed in version 0.12.0.

References

https://discuss.hashicorp.com/t/hcsec-2023-03-boundary-workers-store-rotated-credentials-in-plaintext-even-when-key-management-service-configured/49907

Affected packages

Git / github.com/hashicorp/boundary

Affected ranges

Type: GIT
Repo: https://github.com/hashicorp/boundary
Events: Introduced

ad9a47a7f937581edf4fd1edea3332d55d243a01

Fixed

034f27ec8528251ce23b5afbf3851c48b0c54bec

Affected versions

api/v0.*

api/v0.0.29

api/v0.0.33

sdk/v0.*

sdk/v0.0.20

sdk/v0.0.21

sdk/v0.0.22

sdk/v0.0.24

sdk/v0.0.27

sdk/v0.0.28

sdk/v0.0.29

v0.*

v0.10.0