Boundary Workers Store Rotated Credentials in Plaintext Even When a Key Management Service Configured
CVE-2023-0690

7.1HIGH

Key Information:

Vendor: HashiCorp
Status: Boundary
Vendor: CVE Published:; 8 February 2023

Summary

A vulnerability in HashiCorp Boundary versions 0.10.0 through 0.11.2 can lead to credentials being stored in plaintext. When using a PKI-based worker with a configured Key Management Service (KMS), new credentials created after automatic rotation may not be encrypted as intended, resulting in sensitive information being written to disk without adequate protection. This severe oversight necessitates immediate attention, as it can expose critical credentials to unauthorized access.

Affected Version(s)

Boundary Windows 0.10.0 <= 0.11.2

References

https://discuss.hashicorp.com/t/hcsec-2023-03-boundary-wo...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 8, 2023
Vulnerability Reserved
Feb 6, 2023