HCSEC-2022-16 - Consul Template May Expose Vault Secrets When Processing Invalid Input

Bulletin ID: HCSEC-2022-16
Affected Products / Versions: Consul Template up to 0.27.2, 0.28.2, and 0.29.1; fixed in 0.27.3, 0.28.3, and 0.29.2.
Publication Date: August 16, 2022

A vulnerability was identified in Consul Template such that invalid template contents can reveal the contents of a Vault secret. This vulnerability, CVE-2022-38149, was fixed in Consul Template 0.27.3, 0.28.3, and 0.29.2.

Consul Templates provides a programmatic method for rendering configuration files from a variety of locations, including Vault. It may be used as either a library, or a command-line application. For more information, see the tutorial.

An external party reported that invalid templates could inadvertently reveal the contents of Vault secret in errors returned by the *template.Template.Execute method, when given a template using Vault secret contents incorrectly. This method has been updated to redact Vault secrets when creating an error string, making it safe to log the error.

Customers should evaluate the risk associated with this issue and consider upgrading to Consul Template 0.27.3, 0.28.3, and 0.29.2, or newer.

HashiCorp thanks Fulton Byrne at Commercetools GmbH for identifying and reporting this issue.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.