github.com/hashicorp/boundary is vulnerable to Information Disclosure. The vulnerability exists because the new credentials created after an automatic rotation may not have been encrypted via the intended KMS, allowing an attacker to gain sensitive information through the worker’s disk.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/hashicorp/boundary | le | v0.11.2 | |
github.com/hashicorp/boundary | le | v0.11.2 |
discuss.hashicorp.com/t/hcsec-2023-03-boundary-workers-store-rotated-credentials-in-plaintext-even-when-key-management-service-configured/49907
discuss.hashicorp.com/t/hcsec-2023-03-boundary-workers-store-rotated-credentials-in-plaintext-even-when-key-management-service-configured/49907/1
github.com/hashicorp/boundary/commit/bd4f5f380197eff9e7963290a2947c4dcd992af1
github.com/hashicorp/boundary/pull/2484