CVE-2021-38554 — Improper Removal of Sensitive Information Before Storage or Transfer in Hashicorp Vault

CWE-212 — Improper Removal of Sensitive Information Before Storage or Transfer CWE-200 — Sensitive Information Exposure5 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 45.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Vault Hashicorp Vault

Timeline

PublishedAug 13

Latest updateAug 21

Description

HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages2 packages

▶NVDhashicorp/vault< 1.8.0

▶Gogithub.com/hashicorp_vault1.7.0 — 1.7.4+1

🔴Vulnerability Details

OSV

Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault↗2024-08-21

▶

GHSA

Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault↗2021-08-30

▶

OSV

Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault↗2021-08-30

▶

📋Vendor Advisories

Red Hat

vault: UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser↗2021-08-13

▶