Security News > 2023 > April > HashiCorp Vault vulnerability could lead to RCE, patch today! (CVE-2023-0620)
Oxeye discovered a new vulnerability in the HashiCorp Vault Project, an identity-based secrets and encryption management system that controls access to API encryption keys, passwords, and certificates.
The vulnerability was an SQL injection vulnerability that potentially could lead to a Remote Code Execution.
The vulnerability exists in how Vault handles SQL queries when interacting with its backend database.
Attackers can exploit this vulnerability by injecting malicious SQL statements into the configuration parameters Vault loads at startup.
In some cases, depending on the database configuration, the threat actor can escalate the vulnerability to execute arbitrary system commands on the machine hosting the database.
"The importance of restricting access to critical tools and implementing adequate input validation to prevent SQL injection attacks is highlighted by this vulnerability in HashiCorp's Vault project," said Ron Vider, CTO of Oxeye.
News URL
https://www.helpnetsecurity.com/2023/04/12/hashicorp-vault-cve-2023-0620/
Related news
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Palo Alto Networks warns of potential PAN-OS RCE vulnerability (source)
- PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs and Patch Released (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged (source)
- Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability (source)