CVE-2020-13223: Insertion of Sensitive Information into Log File

May 18, 2021 (updated July 29, 2021)

HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.

References

github.com/advisories/GHSA-25xj-89g5-fm6h
github.com/hashicorp/vault/blob/master/CHANGELOG.md
github.com/hashicorp/vault/commit/87f47c216cf1a28f4054b80cff40de8c9e00e36c
github.com/hashicorp/vault/commit/e52f34772affb69f3239b2cdf6523cb7cfd67a92
nvd.nist.gov/vuln/detail/CVE-2020-13223

Detect and mitigate CVE-2020-13223 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →