Cleartext Storage of Sensitive Information Affecting github.com/hashicorp/boundary/internal/cmd/commands/dev package, versions >=0.10.0 <0.12.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (14th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMHASHICORPBOUNDARYINTERNALCMDCOMMANDSDEV-3317173
  • published 9 Feb 2023
  • disclosed 9 Feb 2023
  • credit Boundary Engineering Team

How to fix?

Upgrade github.com/hashicorp/boundary/internal/cmd/commands/dev to version 0.12.0 or higher.

Overview

Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file. The newly created credentials after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk.

Mitigation

After upgrading to the fixed version, customers should perform one of the following actions:

  1. Wait for next worker authentication rotation to occur, typically within one week, at which point the new credentials should be properly encrypted.

  2. Delete the worker from the system and re-authorize it, forcing the worker to generate a new set of credentials immediately, which will be encrypted.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5 medium
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    High
  • User Interaction (UI)
    Required
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

7.1 high