Boundary Workers Store Rotated Credentials in Plaintext Even When a Key Management Service Configured
CVE-2023-0690

5MEDIUM

Key Information:

Vendor: Hashicorp
Status: Boundary
Vendor: CVE Published:; 8 February 2023

Summary

A vulnerability in HashiCorp Boundary versions 0.10.0 through 0.11.2 can lead to credentials being stored in plaintext. When using a PKI-based worker with a configured Key Management Service (KMS), new credentials created after automatic rotation may not be encrypted as intended, resulting in sensitive information being written to disk without adequate protection. This severe oversight necessitates immediate attention, as it can expose critical credentials to unauthorized access.

Affected Version(s)

Boundary Windows 0.10.0 <= 0.11.2

References

https://discuss.hashicorp.com/t/hcsec-2023-03-boundary-wo...

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 8, 2023
Vulnerability Reserved
Feb 6, 2023