CVE-2020-13223
published 2020-06-10CVE-2020-13223: HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.
PriorityP336high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.23%
65.3th percentile
HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 1.3.0 < 1.3.6 | 1.3.6 |
| github.com | hashicorp_vault | >= 1.4.0 < 1.4.2 | 1.4.2 |
| hashicorp | vault | < 1.3.6 | 1.3.6 |
| hashicorp | vault | >= 1.4.0 < 1.4.2 | 1.4.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Information Disclosure in HashiCorp Vault in github.com/hashicorp/vault
osv·2024-08-21
CVE-2020-13223 Information Disclosure in HashiCorp Vault in github.com/hashicorp/vault
Information Disclosure in HashiCorp Vault in github.com/hashicorp/vault
Information Disclosure in HashiCorp Vault in github.com/hashicorp/vault
OSV
Information Disclosure in HashiCorp Vault
osv·2021-05-18
CVE-2020-13223 [HIGH] Information Disclosure in HashiCorp Vault
Information Disclosure in HashiCorp Vault
HashiCorp Vault and Vault Enterprise before 1.3.6, and 1.4.2 before 1.4.2, insert Sensitive Information into a Log File. The vulnerability is affecting `github.com/hashicorp/vault/command` Go package.
GHSA
Information Disclosure in HashiCorp Vault
ghsa·2021-05-18
CVE-2020-13223 [HIGH] CWE-200 Information Disclosure in HashiCorp Vault
Information Disclosure in HashiCorp Vault
HashiCorp Vault and Vault Enterprise before 1.3.6, and 1.4.2 before 1.4.2, insert Sensitive Information into a Log File. The vulnerability is affecting `github.com/hashicorp/vault/command` Go package.
Red Hat
vault: Information disclosure from logged proxy environment variables
vendor_redhat·2020-05-21·CVSS 7.5
CVE-2020-13223 [HIGH] CWE-200 vault: Information disclosure from logged proxy environment variables
vault: Information disclosure from logged proxy environment variables
HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.
A flaw was found in the HashiCorp Vault. The HashiCorp Vault and Vault Enterprise could allow a remote attacker to obtain sensitive information caused by inserting sensitive information into a log file. By accessing the log file, a remote attacker can obtain sensitive information.
Package: openshift4/ose-installer (Red Hat OpenShift Container Platform 4) - Not affected
Package: ocs4/cephcsi-rhel8 (Red Hat Openshift Container Storage 4) - Not affected
Package: ocs4/mcg-rhel8-operator (Red Hat Openshift Container Storage 4) - Not affected
Package: ocs4/ocs-rhel8-operator (
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-06-10
Published