CVE-2021-43837 – Template injection in vault-cli
https://notcve.org/view.php?id=CVE-2021-43837
vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. In versions before 3.0.0 vault-cli features the ability for rendering templated values. When a secret starts with the prefix `!template!`, vault-cli interprets the rest of the contents of the secret as a Jinja2 template. • https://github.com/peopledoc/vault-cli/commit/3ba3955887fd6b7d4d646c8b260f21cebf5db852 https://github.com/peopledoc/vault-cli/security/advisories/GHSA-q34h-97wf-8r8j https://podalirius.net/en/publications/grehack-2021-optimizing-ssti-payloads-for-jinja2 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •