HCSEC-2021-13 - Vault GitHub Action Did Not Correctly Mask Multi-Line Secrets In Output

Bulletin ID: HCSEC-2021-13
Affected Products / Versions: vault-action 0.1.0 through 2.1.2; fixed in 2.2.0.
Publication Date: May 6, 2021

Summary
The Vault GitHub Action, vault-action or vault-secrets (“vault-action”), did not correctly mask multi-line secrets in its output. This vulnerability, CVE-2021-32074, was fixed in vault-action 2.2.0.

Background
The Vault GitHub Action, vault-action (https://github.com/marketplace/actions/vault-secrets, https://github.com/hashicorp/vault-action), simplifies using HashiCorp Vault secrets as GitHub Actions variables.

By default, vault-action automatically marks all Vault secrets imported into GitHub Actions variables as secret, which causes GitHub Actions to mask them when included in output.

Details
The vault-action implementation did not correctly handle the marking of multi-line variables. As a result, multi-line secrets were not correctly masked in vault-action output.

Note that this is not a vulnerability in HashiCorp Vault or Vault Enterprise, but is specific to the Vault GitHub Action as described above.

Remediation
Customers using vault-action should evaluate the risk associated with this issue, and consider upgrading to vault-action 2.2.0 or newer. Please refer to https://github.com/marketplace/actions/vault-secrets for more information.

Acknowledgement
This issue was identified by an external party who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.