CVE-2022-38149 – github.com/hashicorp/consul-template

Package

Manager: go
Name: github.com/hashicorp/consul-template
Vulnerable Version: >=0 <0.27.3 || >=0.28.0 <0.28.3 || >=0.29.0 <0.29.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00389 pctl0.59191

Details

HashiCorp Consul Template could reveal Vault secret contents in error messages In HashiCorp Consul Template through version 0.29.1, invalid templates could inadvertently reveal the contents of Vault secret in errors returned by the `*template.Template.Execute 5` method, when given a template using Vault secret contents incorrectly. This method has been updated to redact Vault secrets when creating an error string, making it safe to log the error.. This issue was fixed in version 0.29.2.

Metadata

Created: 2022-08-18T00:00:17Z
Modified: 2024-05-20T21:32:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8449-7gc2-pwrp/GHSA-8449-7gc2-pwrp.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-8449-7gc2-pwrp
Finding: F009
Auto approve: 1