HCSEC-2023-17 - Vault’s KV Diff Viewer Allowed HTML Injection

Bulletin ID: HCSEC-2023-17
Affected Products / Versions: Vault and Vault Enterprise since 1.10.0; fixed in 1.14.0, 1.13.3, 1.12.7 and 1.11.11.
Publication Date: June 9, 2023

Vault and Vault Enterprise’s (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.

Vault 1.10.0 introduced the ability to easily review the diff between two revisions of kv-v2 key-value secrets in Vault’s web UI.

A user with write privileges to a kv-v2 secrets engine mount could provide a string that would be incorrectly sanitized and rendered as raw HTML by Vault’s web UI.

By default, Vault’s content Security Policy prevents the execution of inline JavaScript, therefore preventing exposure to cross-site-scripting via this vector. (Vault uses three main mechanisms for preventing cross-site scripting; strong typing and input validation on the backend, framework-provided output encoding on the frontend, and a restrictive, customizable content security policy that includes script-src 'self' by default.)

Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.14.0, 1.13.3, 1.12.7, and 1.11.11, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

This issue was identified by Michal Zaczek of Securitum.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.