| id: GO-2022-0980 |
| modules: |
| - module: github.com/hashicorp/consul-template |
| versions: |
| - fixed: 0.27.3 |
| - introduced: 0.28.0 |
| - fixed: 0.28.3 |
| - introduced: 0.29.0 |
| - fixed: 0.29.2 |
| vulnerable_at: 0.29.1 |
| packages: |
| - package: github.com/hashicorp/consul-template/template |
| symbols: |
| - Template.Execute |
| summary: |- |
| Exposure of Vault secrets via error messages in |
| github.com/hashicorp/consul-template |
| description: |- |
| The text of errors returned by Template.Execute can contain Vault secrets, |
| potentially revealing these secrets in logs or error reports. |
| cves: |
| - CVE-2022-38149 |
| ghsas: |
| - GHSA-8449-7gc2-pwrp |
| references: |
| - advisory: https://discuss.hashicorp.com/t/hsec-2022-16-consul-template-may-expose-vault-secrets-when-processing-invalid-input/43215 |
| - fix: https://github.com/hashicorp/consul-template/commit/d6a6f4af219c28e67d847ba0e0b2bea8f5bb9076 |
| review_status: REVIEWED |