HSEC-2022-16 - Consul Template May Expose Vault Secrets When Processing Invalid Input

Bulletin ID: HCSEC-2022-16
Affected Products / Versions: Consul Template up to 0.27.2, 0.28.2, and 0.29.1; fixed in 0.27.3, 0.28.3, and 0.29.2.
Publication Date: August 16, 2022

Summary
A vulnerability was identified in Consul Template such that invalid template contents can reveal the contents of a Vault secret. This vulnerability, CVE-2022-38149, was fixed in Consul Template 0.27.3, 0.28.3, and 0.29.2.

Background
Consul Templates provides a programmatic method for rendering configuration files from a variety of locations, including Vault. It may be used as either a library, or a command-line application. For more information, see the tutorial.

Details
An external party reported that invalid templates could inadvertently reveal the contents of Vault secret in errors returned by the *template.Template.Execute method, when given a template using Vault secret contents incorrectly. This method has been updated to redact Vault secrets when creating an error string, making it safe to log the error.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Consul Template 0.27.3, 0.28.3, and 0.29.2, or newer.

Acknowledgement
HashiCorp thanks Fulton Byrne at Commercetools GmbH for identifying and reporting this issue.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.