CVE-2021-43837

Template injection in vault-cli

Severity Score

9.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. In versions before 3.0.0 vault-cli features the ability for rendering templated values. When a secret starts with the prefix `!template!`, vault-cli interprets the rest of the contents of the secret as a Jinja2 template. Jinja2 is a powerful templating engine and is not designed to safely render arbitrary templates. An attacker controlling a jinja2 template rendered on a machine can trigger arbitrary code, making this a Remote Code Execution (RCE) risk. If the content of the vault can be completely trusted, then this is not a problem. Otherwise, if your threat model includes cases where an attacker can manipulate a secret value read from the vault using vault-cli, then this vulnerability may impact you. In 3.0.0, the code related to interpreting vault templated secrets has been removed entirely. Users are advised to upgrade as soon as possible. For users unable to upgrade a workaround does exist. Using the environment variable `VAULT_CLI_RENDER=false` or the flag `--no-render` (placed between `vault-cli` and the subcommand, e.g. `vault-cli --no-render get-all`) or adding `render: false` to the vault-cli configuration yaml file disables rendering and removes the vulnerability. Using the python library, you can use: `vault_cli.get_client(render=False)` when creating your client to get a client that will not render templated secrets and thus operates securely.

vault-cli es una herramienta configurable de interfaz de línea de comandos (y biblioteca de python) para interactuar con Hashicorp Vault. En versiones anteriores a 3.0.0 vault-cli cuenta con la capacidad de renderizar valores templados. Cuando un secreto comienza con el prefijo "!template!", vault-cli interpreta el resto del contenido del secreto como una plantilla Jinja2. Jinja2 es un potente motor de plantillas y no está diseñado para renderizar de forma segura plantillas arbitrarias. Un atacante que controle una plantilla jinja2 renderizada en una máquina puede lanzar código arbitrario, lo que supone un riesgo de Ejecución de Código Remota (RCE). Si el contenido de la bóveda puede ser completamente confiable, entonces esto no es un problema. De lo contrario, si su modelo de amenaza incluye casos en los que un atacante puede manipular un valor secreto leído desde la bóveda usando vault-cli, entonces esta vulnerabilidad puede afectarle. En la versión 3.0.0, el código relacionado con la interpretación de los secretos de las plantillas de las bóvedas se ha eliminado por completo. Se recomienda a usuarios que actualicen lo antes posible. Para los usuarios que no puedan actualizar, se presenta una solución. Usando la variable de entorno "VAULT_CLI_RENDER=false" o el flag "--no-render" (colocada entre "vault-cli" y el subcomando, por ejemplo "vault-cli --no-render get-all") o añadiendo "render: false" al archivo yaml de configuración de vault-cli es deshabilitada la renderización y se elimina la vulnerabilidad. Usando la librería python, puedes usar "vault_cli.get_client(render=False)" cuando creas tu cliente para conseguir un cliente que no renderice los secretos de las plantillas y así operar de forma segura

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-16 CVE Reserved
2021-12-16 CVE Published
2024-03-09 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
https://github.com/peopledoc/vault-cli/security/advisories/GHSA-q34h-97wf-8r8j	2024-08-04
https://podalirius.net/en/publications/grehack-2021-optimizing-ssti-payloads-for-jinja2	2024-08-04

URL	Date	SRC
https://github.com/peopledoc/vault-cli/commit/3ba3955887fd6b7d4d646c8b260f21cebf5db852	2022-08-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vault-cli Project Search vendor "Vault-cli Project"		Vault-cli Search vendor "Vault-cli Project" for product "Vault-cli"				>= 0.7.0 < 3.0.0 Search vendor "Vault-cli Project" for product "Vault-cli" and version " >= 0.7.0 < 3.0.0"		python		Affected