BIT-vault-2023-0620
Information Disclosure vulnerability in vault (Go)
What is BIT-vault-2023-0620 About?
This vulnerability is an Information Disclosure flaw in Apache Airflow versions before 2.8.2, where authenticated Ops and Viewers users could view all audit log information, including restricted dag names and usernames. This allows unauthorized access to sensitive operational details. Exploitation is trivial for authenticated users with specific roles.
Affected Software
- github.com/hashicorp/vault
- >0.8.0, <1.11.9
- >1.12.0, <1.12.5
- >1.13.0, <1.13.1
Technical Details
The vulnerability is an information disclosure issue in Apache Airflow. In versions prior to 2.8.2, the access control mechanisms for audit logs were insufficient. Specifically, users with 'Ops' and 'Viewer' roles, despite not having administrative privileges, were able to view 'all information on audit logs'. This included sensitive data such as 'dag names and usernames they were not permitted to view' according to their role definitions elsewhere in the application. This implies a lack of granular permission checks when retrieving or displaying audit log data, allowing unauthorized individuals with specific roles to bypass intended access restrictions and gain access to confidential operational details.
What is the Impact of BIT-vault-2023-0620?
Successful exploitation may allow attackers to gain unauthorized access to sensitive operational information, including user activity and system configurations, leading to privacy breaches, intelligence gathering for further attacks, and non-compliance with data protection regulations.
What is the Exploitability of BIT-vault-2023-0620?
Exploitation requires an attacker to be an authenticated user with either 'Ops' or 'Viewer' roles within Apache Airflow. This is an authenticated, remote vulnerability. Once authenticated, no special actions beyond accessing the audit logs are required, making it simple to exploit. No specific privileges beyond the 'Ops' or 'Viewer' role are needed. The complexity of exploitation is low for an attacker who already possesses these roles. The risk factor is heightened if such roles are commonly assigned or if attackers can easily compromise accounts with these roles. There are no special conditions or constraints beyond meeting the authentication and role requirements.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-vault-2023-0620?
Available Upgrade Options
- github.com/hashicorp/vault
- >0.8.0, <1.11.9 → Upgrade to 1.11.9
- github.com/hashicorp/vault
- >1.12.0, <1.12.5 → Upgrade to 1.12.5
- github.com/hashicorp/vault
- >1.13.0, <1.13.1 → Upgrade to 1.13.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/hashicorp/vault/pull/19591
- https://nvd.nist.gov/vuln/detail/CVE-2023-0620
- https://github.com/hashicorp/vault/releases/tag/v1.13.1
- https://github.com/hashicorp/vault/releases/tag/v1.11.9
- https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080/1
- https://github.com/hashicorp/vault
- https://github.com/hashicorp/vault/pull/19591
- https://security.netapp.com/advisory/ntap-20230526-0008
- https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080/1
- https://github.com/advisories/GHSA-v3hp-mcj5-pg39
What are Similar Vulnerabilities to BIT-vault-2023-0620?
Similar Vulnerabilities: CVE-2023-22809 , CVE-2023-38601 , CVE-2022-38605 , CVE-2022-38507 , CVE-2021-40914
