HCSEC-2020-13 - Vault Proxy Environment Variable Was Logged to STDOUT

Bulletin ID: HCSEC-2020-13
Affected Products / Versions: Vault and Vault Enterprise; fixed in 1.3.6 and 1.4.2.
Publication Date: 21 May, 2020

Vault and Vault Enterprise (“Vault”) logged proxy environment variables that potentially included sensitive credentials. This vulnerability, CVE-2020-13223, was fixed in Vault 1.3.6 and 1.4.2.

Vault respects the HTTP_PROXY and HTTPS_PROXY environment variables.

When HTTP_PROXY and HTTPS_PROXY variables were configured, Vault logged them to STDOUT. In situations where these environment variables contained proxy server credentials, those were included in the Vault log.

If deemed necessary, based on deployment / use case and conditions described above, operators should upgrade to Vault or Vault Enterprise 1.3.6 or 1.4.2, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Additionally, consider reviewing your Vault logs for proxy server credential disclosure and rotating those credentials if determined necessary.

This issue was identified by an external party who reported it privately to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.