nvd-json-data-feeds/CVE-2021/CVE-2021-438xx/CVE-2021-43837.json

{
  "id": "CVE-2021-43837",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2021-12-16T19:15:08.410",
  "lastModified": "2022-08-09T13:23:59.983",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. In versions before 3.0.0 vault-cli features the ability for rendering templated values. When a secret starts with the prefix `!template!`, vault-cli interprets the rest of the contents of the secret as a Jinja2 template. Jinja2 is a powerful templating engine and is not designed to safely render arbitrary templates. An attacker controlling a jinja2 template rendered on a machine can trigger arbitrary code, making this a Remote Code Execution (RCE) risk. If the content of the vault can be completely trusted, then this is not a problem. Otherwise, if your threat model includes cases where an attacker can manipulate a secret value read from the vault using vault-cli, then this vulnerability may impact you. In 3.0.0, the code related to interpreting vault templated secrets has been removed entirely. Users are advised to upgrade as soon as possible. For users unable to upgrade a workaround does exist. Using the environment variable `VAULT_CLI_RENDER=false` or the flag `--no-render` (placed between `vault-cli` and the subcommand, e.g. `vault-cli --no-render get-all`) or adding `render: false` to the vault-cli configuration yaml file disables rendering and removes the vulnerability. Using the python library, you can use: `vault_cli.get_client(render=False)` when creating your client to get a client that will not render templated secrets and thus operates securely."
    },
    {
      "lang": "es",
      "value": "vault-cli es una herramienta configurable de interfaz de l\u00ednea de comandos (y biblioteca de python) para interactuar con Hashicorp Vault. En versiones anteriores a 3.0.0 vault-cli cuenta con la capacidad de renderizar valores templados. Cuando un secreto comienza con el prefijo \"!template!\", vault-cli interpreta el resto del contenido del secreto como una plantilla Jinja2. Jinja2 es un potente motor de plantillas y no est\u00e1 dise\u00f1ado para renderizar de forma segura plantillas arbitrarias. Un atacante que controle una plantilla jinja2 renderizada en una m\u00e1quina puede lanzar c\u00f3digo arbitrario, lo que supone un riesgo de Ejecuci\u00f3n de C\u00f3digo Remota (RCE). Si el contenido de la b\u00f3veda puede ser completamente confiable, entonces esto no es un problema. De lo contrario, si su modelo de amenaza incluye casos en los que un atacante puede manipular un valor secreto le\u00eddo desde la b\u00f3veda usando vault-cli, entonces esta vulnerabilidad puede afectarle. En la versi\u00f3n 3.0.0, el c\u00f3digo relacionado con la interpretaci\u00f3n de los secretos de las plantillas de las b\u00f3vedas se ha eliminado por completo. Se recomienda a usuarios que actualicen lo antes posible. Para los usuarios que no puedan actualizar, se presenta una soluci\u00f3n. Usando la variable de entorno \"VAULT_CLI_RENDER=false\" o el flag \"--no-render\" (colocada entre \"vault-cli\" y el subcomando, por ejemplo \"vault-cli --no-render get-all\") o a\u00f1adiendo \"render: false\" al archivo yaml de configuraci\u00f3n de vault-cli es deshabilitada la renderizaci\u00f3n y se elimina la vulnerabilidad. Usando la librer\u00eda python, puedes usar \"vault_cli.get_client(render=False)\" cuando creas tu cliente para conseguir un cliente que no renderice los secretos de las plantillas y as\u00ed operar de forma segura"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "HIGH",
          "userInteraction": "NONE",
          "scope": "CHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0
      },
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "attackVector": "ADJACENT_NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "HIGH",
          "userInteraction": "NONE",
          "scope": "CHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 8.4,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 6.0
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "SINGLE",
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.0
        },
        "baseSeverity": "HIGH",
        "exploitabilityScore": 8.0,
        "impactScore": 10.0,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ]
    },
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:vault-cli_project:vault-cli:*:*:*:*:*:python:*:*",
              "versionStartIncluding": "0.7.0",
              "versionEndExcluding": "3.0.0",
              "matchCriteriaId": "FB498407-0878-4D1A-853B-01BA2CF7E539"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/peopledoc/vault-cli/commit/3ba3955887fd6b7d4d646c8b260f21cebf5db852",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/peopledoc/vault-cli/security/advisories/GHSA-q34h-97wf-8r8j",
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://podalirius.net/en/publications/grehack-2021-optimizing-ssti-payloads-for-jinja2/",
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ]
    }
  ]
}