Description

vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. In versions before 3.0.0 vault-cli features the ability for rendering templated values. When a secret starts with the prefix `!template!`, vault-cli interprets the rest of the contents of the secret as a Jinja2 template. Jinja2 is a powerful templating engine and is not designed to safely render arbitrary templates. An attacker controlling a jinja2 template rendered on a machine can trigger arbitrary code, making this a Remote Code Execution (RCE) risk. If the content of the vault can be completely trusted, then this is not a problem. Otherwise, if your threat model includes cases where an attacker can manipulate a secret value read from the vault using vault-cli, then this vulnerability may impact you. In 3.0.0, the code related to interpreting vault templated secrets has been removed entirely. Users are advised to upgrade as soon as possible. For users unable to upgrade a workaround does exist. Using the environment variable `VAULT_CLI_RENDER=false` or the flag `--no-render` (placed between `vault-cli` and the subcommand, e.g. `vault-cli --no-render get-all`) or adding `render: false` to the vault-cli configuration yaml file disables rendering and removes the vulnerability. Using the python library, you can use: `vault_cli.get_client(render=False)` when creating your client to get a client that will not render templated secrets and thus operates securely.

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  9.1 CRITICAL

Vector:  CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CNA:  GitHub, Inc.

Base Score:  8.4 HIGH

Vector:  CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score:  9.0 HIGH

Vector:  (AV:N/AC:L/Au:S/C:C/I:C/A:C)

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://github.com/peopledoc/vault-cli/commit/3ba3955887fd6b7d4d646c8b260f21cebf5db852	Patch  Third Party Advisory
https://github.com/peopledoc/vault-cli/commit/3ba3955887fd6b7d4d646c8b260f21cebf5db852	Patch  Third Party Advisory
https://github.com/peopledoc/vault-cli/security/advisories/GHSA-q34h-97wf-8r8j	Exploit  Mitigation  Third Party Advisory
https://github.com/peopledoc/vault-cli/security/advisories/GHSA-q34h-97wf-8r8j	Exploit  Mitigation  Third Party Advisory
https://podalirius.net/en/publications/grehack-2021-optimizing-ssti-payloads-for-jinja2/	Exploit  Third Party Advisory
https://podalirius.net/en/publications/grehack-2021-optimizing-ssti-payloads-for-jinja2/	Exploit  Third Party Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-94	Improper Control of Generation of Code ('Code Injection')	NIST
CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	GitHub, Inc.

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

5 change records found show changes

CVE Modified by CVE 11/21/2024 1:29:53 AM

Action	Type	Old Value	New Value
Added	Reference		https://github.com/peopledoc/vault-cli/commit/3ba3955887fd6b7d4d646c8b260f21cebf5db852
Added	Reference		https://github.com/peopledoc/vault-cli/security/advisories/GHSA-q34h-97wf-8r8j
Added	Reference		https://podalirius.net/en/publications/grehack-2021-optimizing-ssti-payloads-for-jinja2/

CVE Modified by GitHub, Inc. 5/14/2024 5:34:56 AM

Action	Type	Old Value	New Value

Reanalysis by NIST 8/09/2022 9:23:59 AM

Action	Type	Old Value	New Value
Added	CWE		NIST CWE-94

CPE Deprecation Remap by NIST 2/08/2022 1:48:38 PM

Action	Type	Old Value	New Value
Changed	CPE Configuration	OR *cpe:2.3:a:ukg:vault-cli:*:*:*:*:*:python:*:* versions from (including) 0.7.0 from (excluding) 3.0.0	OR *cpe:2.3:a:vault-cli_project:vault-cli:*:*:*:*:*:python:*:* versions from (including) 0.7.0 from (excluding) 3.0.0

Initial Analysis by NIST 12/30/2021 12:02:38 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		NIST AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Added	CVSS V2		NIST (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Added	CPE Configuration		OR *cpe:2.3:a:ukg:vault-cli:*:*:*:*:*:python:*:* versions from (including) 0.7.0 up to (excluding) 3.0.0
Changed	Reference Type	https://github.com/peopledoc/vault-cli/commit/3ba3955887fd6b7d4d646c8b260f21cebf5db852 No Types Assigned	https://github.com/peopledoc/vault-cli/commit/3ba3955887fd6b7d4d646c8b260f21cebf5db852 Patch, Third Party Advisory
Changed	Reference Type	https://github.com/peopledoc/vault-cli/security/advisories/GHSA-q34h-97wf-8r8j No Types Assigned	https://github.com/peopledoc/vault-cli/security/advisories/GHSA-q34h-97wf-8r8j Exploit, Mitigation, Third Party Advisory
Changed	Reference Type	https://podalirius.net/en/publications/grehack-2021-optimizing-ssti-payloads-for-jinja2/ No Types Assigned	https://podalirius.net/en/publications/grehack-2021-optimizing-ssti-payloads-for-jinja2/ Exploit, Third Party Advisory