GHSA-9vrm-v9xv-x3xr

Suggest an improvement
Source
https://github.com/advisories/GHSA-9vrm-v9xv-x3xr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-9vrm-v9xv-x3xr/GHSA-9vrm-v9xv-x3xr.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-9vrm-v9xv-x3xr
Aliases
Published
2023-07-06T19:24:09Z
Modified
2024-08-20T20:58:48.456815Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
HashiCorp Boundary Workers Store Rotated Credentials in Plaintext Even When Key Management Service Configured
Details

HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk. This issue is fixed in version 0.12.0.

Database specific 
{
    "nvd_published_at": "2023-02-08T19:15:00Z",
    "cwe_ids": [
        "CWE-311",
        "CWE-312"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-06T21:47:39Z"
}
References

Affected packages

Go / github.com/hashicorp/boundary

Package

Name
github.com/hashicorp/boundary
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/boundary

Affected ranges

Type
SEMVER
Events
Introduced
0.10.0
Fixed
0.12.0