CVE-2020-16250
HTML Injection vulnerability in vault (Go)
What is CVE-2020-16250 About?
This vulnerability is an HTML injection flaw in Vault and Vault Enterprise's key-value v2 (kv-v2) diff viewer. It allows attackers to inject malicious HTML into the Vault web UI through key values, potentially leading to phishing or defacement. Exploitation requires specific user interaction with the crafted key values.
Affected Software
- github.com/hashicorp/vault
- >1.4.0, <1.4.4
- >1.5.0, <1.5.1
- >0.8.1, <1.2.5
- >1.3.0, <1.3.8
Technical Details
The Vault key-value v2 (kv-v2) diff viewer functionality, which is designed to display differences between versions of stored key-value data, inadequately sanitizes input from key values. An attacker can craft a key value containing malicious HTML tags and attributes. When this crafted key value is subsequently viewed within the Vault web UI's diff viewer by another user, the application renders the injected HTML directly into the page. This bypasses typical input validation and output encoding mechanisms, leading to client-side code execution in the context of the user's browser.
What is the Impact of CVE-2020-16250?
Successful exploitation may allow attackers to deface the web UI, conduct phishing attacks, or execute client-side scripts in the victim's browser context, leading to information disclosure or session hijacking.
What is the Exploitability of CVE-2020-16250?
Exploitation of this vulnerability is moderately complex, requiring an attacker to have write access to key-value storage within Vault. No authentication bypass is involved, as the attacker needs to be an authenticated user with appropriate permissions to modify key-value data. The attack is remote, as it targets the web UI accessed by other users. Special conditions include the victim needing to view the specifically crafted key value within the diff viewer. The likelihood of exploitation increases if users frequently inspect key-value differences and if the attacker has gained internal access or compromised credentials giving them write permissions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-16250?
Available Upgrade Options
- github.com/hashicorp/vault
- >0.8.1, <1.2.5 → Upgrade to 1.2.5
- github.com/hashicorp/vault
- >1.3.0, <1.3.8 → Upgrade to 1.3.8
- github.com/hashicorp/vault
- >1.4.0, <1.4.4 → Upgrade to 1.4.4
- github.com/hashicorp/vault
- >1.5.0, <1.5.1 → Upgrade to 1.5.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-fp52-qw33-mfmw
- https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151
- https://www.hashicorp.com/blog/category/vault
- https://nvd.nist.gov/vuln/detail/CVE-2020-16250
- https://github.com/hashicorp/vault
- https://www.hashicorp.com/blog/category/vault/
- http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.html
- https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151
- http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.html
What are Similar Vulnerabilities to CVE-2020-16250?
Similar Vulnerabilities: CVE-2022-26270 , CVE-2021-39226 , CVE-2020-25212 , CVE-2015-7729 , CVE-2014-0453
