GHSA-8449-7gc2-pwrp

Suggest an improvement
Source
https://github.com/advisories/GHSA-8449-7gc2-pwrp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8449-7gc2-pwrp/GHSA-8449-7gc2-pwrp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8449-7gc2-pwrp
Aliases
Published
2022-08-18T00:00:17Z
Modified
2024-05-20T21:32:47Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
HashiCorp Consul Template could reveal Vault secret contents in error messages
Details

In HashiCorp Consul Template through version 0.29.1, invalid templates could inadvertently reveal the contents of Vault secret in errors returned by the *template.Template.Execute 5 method, when given a template using Vault secret contents incorrectly. This method has been updated to redact Vault secrets when creating an error string, making it safe to log the error.. This issue was fixed in version 0.29.2.

Database specific 
{
    "nvd_published_at": "2022-08-17T15:15:00Z",
    "cwe_ids": [
        "CWE-532"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-30T20:17:03Z"
}
References

Affected packages

Go / github.com/hashicorp/consul-template

Package

Name
github.com/hashicorp/consul-template
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/consul-template

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.27.3

Go / github.com/hashicorp/consul-template

Package

Name
github.com/hashicorp/consul-template
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/consul-template

Affected ranges

Type
SEMVER
Events
Introduced
0.28.0
Fixed
0.28.3

Go / github.com/hashicorp/consul-template

Package

Name
github.com/hashicorp/consul-template
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/consul-template

Affected ranges

Type
SEMVER
Events
Introduced
0.29.0
Fixed
0.29.2