Improper Removal of Sensitive Information Before Storage or Transfer Affecting github.com/hashicorp/vault/ui/app/routes/vault/cluster package, versions <1.6.6>=1.7.0 <1.7.4
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMHASHICORPVAULTUIAPPROUTESVAULTCLUSTER-7786365
- published22 Aug 2024
- disclosed21 Aug 2024
- creditAvinash Kumar
Introduced: 21 Aug 2024
CVE-2021-38554 (opens in a new tab)How to fix?
Upgrade github.com/hashicorp/vault/ui/app/routes/vault/cluster to version 1.6.6, 1.7.4 or higher.
Overview
Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer due to improper handling of session data when the UI web application failed to clear the client-side data cache on user logout completely. An attacker can access sensitive information from previous sessions by exploiting shared browser sessions if the browser window/tab is not refreshed or closed between logout and subsequent login.
Note:
Vault deployments that do not enable the Vault UI are not affected by this issue.
Exploiting this vulnerability is possible if the following two conditions are met:
The same browser instance must be used between sessions, and the window or tab must not have been closed or refreshed in between the user sessions.
The exposed secret/s must have been viewed by the previous user.