Boundary Workers Store Rotated Credentials in Plaintext Even When a Key Management Service Configured
CVE-2023-0690
5MEDIUM
What is CVE-2023-0690?
A vulnerability in HashiCorp Boundary versions 0.10.0 through 0.11.2 can lead to credentials being stored in plaintext. When using a PKI-based worker with a configured Key Management Service (KMS), new credentials created after automatic rotation may not be encrypted as intended, resulting in sensitive information being written to disk without adequate protection. This severe oversight necessitates immediate attention, as it can expose critical credentials to unauthorized access.
Affected Version(s)
Boundary Windows 0.10.0 <= 0.11.2