CVE-2023-0690

CVSS v3.1

7.1

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions HashiCorp Boundary versions 0.10.0 through 0.11.2

Description The issue arises when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file. After an automatic rotation, new credentials may not be encrypted via the intended KMS, resulting in them being stored in plaintext on the Boundary PKI worker’s disk.

Recommendations For HashiCorp Boundary versions 0.10.0 through 0.11.2, update to version 0.12.0 to resolve the issue. As a temporary workaround, consider restricting access to the credentials stored on the Boundary PKI worker’s disk to minimize the risk of exploitation.

Fix

Cleartext Storage of Sensitive Information

Missing Encryption of Sensitive Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312CWE-311

Related Identifiers

CVE-2023-0690

GHSA-9VRM-V9XV-X3XR

GO-2023-1898

Affected Products

Hashicorp Boundary

CVE-2023-0690

Weakness Enumeration

Related Identifiers

Affected Products

References · 9