Vulnerability Description
HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hashicorp | Vault-Action | >= 0.1.0, < 2.2.0 |
Related Weaknesses (CWE)
References
- https://discuss.hashicorp.com/t/hcsec-2021-13-vault-github-action-did-not-correcVendor Advisory
- https://github.com/hashicorp/vault-action/blob/master/CHANGELOG.mdThird Party Advisory
- https://github.com/hashicorp/vault-action/issues/205ExploitThird Party Advisory
- https://github.com/hashicorp/vault-action/pull/208PatchThird Party Advisory
- https://discuss.hashicorp.com/t/hcsec-2021-13-vault-github-action-did-not-correcVendor Advisory
- https://github.com/hashicorp/vault-action/blob/master/CHANGELOG.mdThird Party Advisory
- https://github.com/hashicorp/vault-action/issues/205ExploitThird Party Advisory
- https://github.com/hashicorp/vault-action/pull/208PatchThird Party Advisory
FAQ
What is CVE-2021-32074?
CVE-2021-32074 is a vulnerability with a CVSS score of 7.5 (HIGH). HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actio...
How severe is CVE-2021-32074?
CVE-2021-32074 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32074?
Check the references section above for vendor advisories and patch information. Affected products include: Hashicorp Vault-Action.