GHSA-Q34H-97WF-8R8J

Vulnerability from github – Published: 2021-12-16 21:02 – Updated: 2024-11-18 22:46
VLAI?
Summary
vault-cli contains possible RCE when reading user-defined data
Details

Impact

What kind of vulnerability is it? Who is impacted?

vault-cli features the ability for rendering templated values (as explained in the documentation). When a secret starts with the prefix !template!, vault-cli interprets the rest of the contents of the secret as a Jinja2 template. Jinja2 is a powerful templating engine and it's not designed to safely render arbitrary templates. An attacker controlling a jinja2 template rendered on a machine can trigger arbitrary code, making this a Remote Code Execution (RCE) risk. If the content of the vault can be completely trusted, then this is not a problem. Otherwise, if your threat model includes cases where an attacker can manipulate a secret value read from the vault using vault-cli, then this vulnerability may impact you.

This does not impact vault itself, except for the fact that the attacker, having an RCE on the machine that executes vault-cli, may abuse the token that vault-cli uses, to read, write or delete other data from the vault.

Patches

Has the problem been patched? What versions should users upgrade to?

In 3.0.0, the code related to interpreting vault templated secrets has been removed entirely.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Using the environment variable VAULT_CLI_RENDER=false or the flag --no-render (placed between vault-cli and the subcommand, e.g. vault-cli --no-render get-all) or adding render: false to the vault-cli configuration yaml file disables rendering and removes the vulnerability. Using the python library, you can use: vault_cli.get_client(render=False) when creating your client to get a client that will not render templated secrets and thus operates securely.

References

Are there any links users can visit to find out more?

Here's an article explaining how jinja2 templates might be exploited to have side effects: https://podalirius.net/en/publications/grehack-2021-optimizing-ssti-payloads-for-jinja2/

For more information

If you have any questions or comments about this advisory: * Open an issue in the vault-cli repo

Severity ?
8.4 (High)
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
6.3 (Medium)
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vault-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.7.0"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-16T19:28:49Z",
    "nvd_published_at": "2021-12-16T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nvault-cli features the ability for rendering templated values (as explained in the [documentation](https://github.com/peopledoc/vault-cli/blob/2.2.1/docs/howto/templated_secrets.rst)). When a secret starts with the prefix `!template!`, vault-cli interprets the rest of the contents of the secret as a Jinja2 template.\nJinja2 is a powerful templating engine and it\u0027s not designed to safely render arbitrary templates. An attacker controlling a jinja2 template rendered on a machine can trigger arbitrary code, making this a Remote Code Execution (RCE) risk.\nIf the content of the vault can be completely trusted, then this is not a problem. Otherwise, if your threat model includes cases where an attacker can manipulate a secret value read from the vault using vault-cli, then this vulnerability may impact you.\n\nThis does not impact `vault` itself, except for the fact that the attacker, having an RCE on the machine that executes `vault-cli`, may abuse the token that `vault-cli` uses, to read, write or delete other data from the vault.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nIn 3.0.0, the code related to interpreting vault templated secrets has been removed entirely.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nUsing the environment variable `VAULT_CLI_RENDER=false` or the flag `--no-render` (placed between `vault-cli` and the subcommand, e.g. `vault-cli --no-render get-all`) or adding `render: false` to the vault-cli configuration yaml file disables rendering and removes the vulnerability.\nUsing the python library, you can use: `vault_cli.get_client(render=False)` when creating your client to get a client that will not render templated secrets and thus operates securely.\n\n### References\n_Are there any links users can visit to find out more?_\n\nHere\u0027s an article explaining how jinja2 templates might be exploited to have side effects: https://podalirius.net/en/publications/grehack-2021-optimizing-ssti-payloads-for-jinja2/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the vault-cli repo](https://github.com/peopledoc/vault-cli/issues/new)\n",
  "id": "GHSA-q34h-97wf-8r8j",
  "modified": "2024-11-18T22:46:40Z",
  "published": "2021-12-16T21:02:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/peopledoc/vault-cli/security/advisories/GHSA-q34h-97wf-8r8j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43837"
    },
    {
      "type": "WEB",
      "url": "https://github.com/peopledoc/vault-cli/pull/198"
    },
    {
      "type": "WEB",
      "url": "https://github.com/peopledoc/vault-cli/commit/3ba3955887fd6b7d4d646c8b260f21cebf5db852"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/peopledoc/vault-cli"
    },
    {
      "type": "WEB",
      "url": "https://github.com/peopledoc/vault-cli/releases/tag/3.0.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vault-cli/PYSEC-2021-853.yaml"
    },
    {
      "type": "WEB",
      "url": "https://podalirius.net/en/publications/grehack-2021-optimizing-ssti-payloads-for-jinja2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "vault-cli contains possible RCE when reading user-defined data"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.