CVE-2021-43837

Name of the Vulnerable Software and Affected Versions: vault-cli versions prior to 3.0.0

Description: The issue concerns the ability of vault-cli to render templated values. When a secret starts with the prefix !template!, vault-cli interprets the rest of the contents of the secret as a Jinja2 template. Jinja2 is a powerful templating engine and is not designed to safely render arbitrary templates. An attacker controlling a Jinja2 template rendered on a machine can trigger arbitrary code, making this a Remote Code Execution (RCE) risk. If the content of the vault can be completely trusted, then this is not a problem. Otherwise, if your threat model includes cases where an attacker can manipulate a secret value read from the vault using vault-cli, then this vulnerability may impact you.

Recommendations: For versions prior to 3.0.0, users are advised to upgrade to version 3.0.0 or later as soon as possible. As a temporary workaround, users can disable rendering by using the environment variable VAULT CLI RENDER=false or the flag --no-render placed between vault-cli and the subcommand, or by adding render: false to the vault-cli configuration yaml file. Using the python library, users can use vault cli.get client(render=False) when creating their client to get a client that will not render templated secrets and thus operates securely.