AIKIDO-2024-10441

vaultrs is vulnerable to Insertion of Sensitive Information into Log File

Medium

vaultrs rust

AIKIDO-2024-10441: vaultrs is vulnerable to Insertion of Sensitive Information into Log File in versions 0.5.1 - 0.7.2.

Insertion of Sensitive Information into Log File

Vuln in 0.5.1 - 0.7.2

Fixed in 0.7.3

No CVE available

TL;DR

Affected versions of this package may leak the unseal key in the logs. The unseal key is logged when requesting /sys/unseal . This is problematic because even if the user only prints log to stdout, the unseal key could be written on the disk because of the swap mechanism. Besides, it's the users that configure their subscriber, so they could end up sending their unseal key to a remote log server without even noticing it.

Who does this affect?

You're affected if you are using a version which is within vulnerability ranges.

How can it be fixed?

Upgrade vaultrs library to patch version.

Background info

Link to vendor website

🇪🇺 Grauwpoort 1, 9000 Ghent, Belgium

🇺🇸 95 Third St, 2nd Fl, San Francisco, CA 94103, US

AIKIDO-2024-10441

vaultrs is vulnerable to Insertion of Sensitive Information into Log File

vaultrs rust

AIKIDO-2024-10441: vaultrs is vulnerable to Insertion of Sensitive Information into Log File in versions 0.5.1 - 0.7.2.

Don’t be left in the dark