Ewjoachim

Name of the Vulnerable Software and Affected Versions: vault-cli versions prior to 3.0.0 Description: The issue concerns the ability of vault-cli to render templated values. When a secret starts with the prefix `!template!`, vault-cli interprets the rest of the contents of the secret as a Jinja2 template. Jinja2 is a powerful templating engine and is not designed to safely render arbitrary templates. An attacker controlling a Jinja2 template rendered on a machine can trigger arbitrary code, making this a Remote Code Execution (RCE) risk. If the content of the vault can be completely trusted, then this is not a problem. Otherwise, if your threat model includes cases where an attacker can manipulate a secret value read from the vault using vault-cli, then this vulnerability may impact you. Recommendations: For versions prior to 3.0.0, users are advised to upgrade to version 3.0.0 or later as soon as possible. As a temporary workaround, users can disable rendering by using the environment variable `VAULT CLI RENDER=false` or the flag `--no-render` placed between `vault-cli` and the subcommand, or by adding `render: false` to the vault-cli configuration yaml file. Using the python library, users can use `vault cli.get client(render=False)` when creating their client to get a client that will not render templated secrets and thus operates securely.