CVE-2021-32074 – hashicorp/vault-action

Package

Manager: github_actions
Name: hashicorp/vault-action
Vulnerable Version: >=0 <2.2.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00346 pctl0.56426

Details

Vault GitHub Action did not correctly mask multi-line secrets in output HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking. The vault-action implementation did not correctly handle the marking of multi-line variables. As a result, multi-line secrets were not correctly masked in vault-action output. Remediation: Customers using vault-action should evaluate the risk associated with this issue, and consider upgrading to vault-action 2.2.0 or newer. Please refer to https://github.com/marketplace/actions/hashicorp-vault for more information.

Metadata

Created: 2022-05-24T19:01:50Z
Modified: 2024-01-25T19:58:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4mgv-m5cm-f9h7/GHSA-4mgv-m5cm-f9h7.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-4mgv-m5cm-f9h7
Finding: F009
Auto approve: 1