CVE-2020-13223

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions HashiCorp Vault and Vault Enterprise versions prior to 1.3.6 HashiCorp Vault and Vault Enterprise versions prior to 1.4.2

Description The issue concerns the logging of proxy environment variables that may contain sensitive credentials. This could lead to information disclosure. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. The vulnerability affects the github.com/hashicorp/vault/command Go package.

Recommendations For versions prior to 1.3.6, update to version 1.3.6 or later. For versions prior to 1.4.2, update to version 1.4.2 or later.

Fix

Insertion into Log File

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532CWE-200

Related Identifiers

BIT-VAULT-2020-13223

CVE-2020-13223

GHSA-25XJ-89G5-FM6H

GO-2022-0778

Affected Products

Hashicorp Vault

Vault Enterprise

CVE-2020-13223

Weakness Enumeration

Related Identifiers

Affected Products

References · 12