CVE-2023-0690

Boundary Workers Store Rotated Credentials in Plaintext Even When a Key Management Service Configured

Description

HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk. This issue is fixed in version 0.12.0.

Remediation

Solution:

  • Upgrade to Boundary 0.12.0. After upgrading, users should do one of the following to remediate the issue: * Wait for next worker authentication rotation to occur, typically within one week, at which point the new credentials should be properly encrypted. * Delete the worker from the system and re-authorize it, forcing the worker to generate a new set of credentials immediately, which will be encrypted.

Categories

5.0
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.02%
Vendor Advisory hashicorp.com
Affected: HashiCorp Boundary
Published at:
Updated at:

References

Link Tags
https://discuss.hashicorp.com/t/hcsec-2023-03-boundary-workers-store-rotated-credentials-in-plaintext-even-when-key-management-service-configured/49907 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2023-0690?
CVE-2023-0690 has been scored as a medium severity vulnerability.
How to fix CVE-2023-0690?
To fix CVE-2023-0690: Upgrade to Boundary 0.12.0. After upgrading, users should do one of the following to remediate the issue: * Wait for next worker authentication rotation to occur, typically within one week, at which point the new credentials should be properly encrypted. * Delete the worker from the system and re-authorize it, forcing the worker to generate a new set of credentials immediately, which will be encrypted.
Is CVE-2023-0690 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-0690 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-0690?
CVE-2023-0690 affects HashiCorp Boundary.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.