CVE-2023-0690

MEDIUM

Hashicorp Boundary < 0.12.0 - Cleartext Storage

Title source: rule

Description

HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk. This issue is fixed in version 0.12.0.

References (1)

[Vendor Advisory] https://discuss.hashicorp.com/t/hcsec-2023-03-boundary-workers-store-rotated-credentials-in-plaintext-even-when-key-management-service-configured/49907

Scores

CVSS v3 5.0

EPSS 0.0006

EPSS Percentile 17.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-312 CWE-311

Status published

Products (2)

hashicorp/boundary 0.10.0 - 0.12.0

hashicorp/boundary 0.10.0 - 0.12.0Go

Published Feb 08, 2023

Tracked Since Feb 18, 2026