VDB

HCSEC-2022-16

HCSEC-2022-16 PUBLISHED

**Bulletin ID:** HCSEC-2022-16 **Affected Products / Versions:** Consul Template up to 0.27.2, 0.28.2, and 0.29.1; fixed in 0.27.3, 0.28.3, and 0.29.2. **Publication Date:** August 16, 2022 **Summary** A vulnerability was identified in Consul Template such that invalid template contents can reveal the contents of a Vault secret. This vulnerability, CVE-2022-38149, was fixed in Consul Template 0.27.3, 0.28.3, and 0.29.2. **Background** Consul Templates provides a programmatic method for rendering configuration files from a variety of locations, including Vault. It may be used as either a library, or a command-line application. For more information, see the [tutorial](https://learn.hashicorp.com/tutorials/consul/consul-template). **Details** An external party reported that invalid templates could inadvertently reveal the contents of Vault secret in errors returned by the [*template.Template.Execute](https://pkg.go.dev/github.com/hashicorp/consul-template/template#Template.Execute) method, when given a template using Vault secret contents incorrectly. This method has been updated to redact Vault secrets when creating an error string, making it safe to log the error. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Consul Template 0.27.3, 0.28.3, and 0.29.2, or newer. **Acknowledgement** HashiCorp thanks Fulton Byrne at Commercetools GmbH for identifying and reporting this issue. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.*

Timeline

  • Aug 16, 2022 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›