Vault GitHub Action did not correctly mask multi-line secrets in output
High severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Jan 25, 2024
Description
Published by the National Vulnerability Database
May 7, 2021
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Jul 29, 2022
Last updated
Jan 25, 2024
HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking.
The vault-action implementation did not correctly handle the marking of multi-line variables. As a result, multi-line secrets were not correctly masked in vault-action output.
Remediation:
Customers using vault-action should evaluate the risk associated with this issue, and consider upgrading to vault-action 2.2.0 or newer. Please refer to https://github.com/marketplace/actions/hashicorp-vault for more information.
References