CVE-2023-0690

2023-02-0819:15:11

CWE-311

CWE-312

[email protected]

web.nvd.nist.gov

hashicorp

boundary

cve-2023-0690

pki

key management service

kms

plaintext storage

nvd

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk.

This issue is fixed in version 0.12.0.

Affected configurations

NVD

Node

hashicorpboundaryRange0.10.0–0.12.0

CPENameOperatorVersion
hashicorp:boundaryhashicorp boundarylt0.12.0

CPE	Name	Operator	Version
hashicorp:boundary	hashicorp boundary	lt	0.12.0

CNA Affected

[
  {
    "vendor": "HashiCorp",
    "product": "Boundary",
    "platforms": [
      "Windows",
      "MacOS",
      "x86",
      "ARM",
      "64 bit",
      "Linux",
      "32 bit"
    ],
    "repo": "https://github.com/hashicorp/boundary",
    "versions": [
      {
        "status": "affected",
        "version": "0.10.0",
        "lessThanOrEqual": "0.11.2",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]