Cleartext Storage of Sensitive Information Affecting github.com/hashicorp/boundary/internal/cmd/commands/dev package, versions >=0.10.0 <0.12.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMHASHICORPBOUNDARYINTERNALCMDCOMMANDSDEV-3317173
- published 9 Feb 2023
- disclosed 9 Feb 2023
- credit Boundary Engineering Team
Introduced: 9 Feb 2023
CVE-2023-0690 Open this link in a new tabHow to fix?
Upgrade github.com/hashicorp/boundary/internal/cmd/commands/dev to version 0.12.0 or higher.
Overview
Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file. The newly created credentials after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk.
Mitigation
After upgrading to the fixed version, customers should perform one of the following actions:
Wait for next worker authentication rotation to occur, typically within one week, at which point the new credentials should be properly encrypted.
Delete the worker from the system and re-authorize it, forcing the worker to generate a new set of credentials immediately, which will be encrypted.