Fluid Attacks Database

Description

HashiCorp Consul Template could reveal Vault secret contents in error messages In HashiCorp Consul Template through version 0.29.1, invalid templates could inadvertently reveal the contents of Vault secret in errors returned by the *template.Template.Execute 5 method, when given a template using Vault secret contents incorrectly. This method has been updated to redact Vault secrets when creating an error string, making it safe to log the error.. This issue was fixed in version 0.29.2.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/hashicorp/consul-template	>=0 <0.27.3 \|\| >=0.28.0 <0.28.3 \|\| >=0.29.0 <0.29.2	0.27.3, 0.28.3, 0.29.2
go	github.com/hashicorp/consul	>=0 <=0.29.1	v0.29.2
go	github.com/hashicorp/consul-template/template	>=0 <0.27.3 \|\| >=0.28.0 <0.28.3 \|\| >=0.29.0 <0.29.2	v0.27.3, v0.28.3, v0.29.2

Aliases

1. CVE-2022-381492. NVD-2022-381493. OSV-2022-381494. GHSA-8449-7gc2-pwrp5. GCVE-2022-38149

References

1. https://github.com/hashicorp/consul-template/commit/d6a6f4af219c28e67d847ba0e0b2bea8f5bb90762. https://discuss.hashicorp.com/t/hsec-2022-16-consul-template-may-expose-vault-secrets-when-processing-invalid-input/432153. https://pkg.go.dev/vuln/GO-2022-09804. https://discuss.hashicorp.com