Oxeye's cloud security platform discovered a high severity zero-day vulnerability in a secret management system completely autonomously, without manual input or intervention.
According to the company, its cloud-native application security platform encountered a zero-day in the HashiCorp Vault Project, a popular identity-based secret and encryption management system used to control access to security keys, encryption API, passwords and certificates.
The flaw was an SQL injection vulnerability that could have allowed threat actors to execute remote code execution (RCE) capabilities. It is now tracked as CVE-2023-0620. The bug has since been fixed and a hotfix has been released.
released patches
Oxeye said its application security platform identified the zero-day as part of a standard deployment scan and concluded that threat actors could have used it to access sensitive data, tamper with, and even run malicious apps on targeted devices (opens in a new tab).
“Given the trend towards microservices in modern software development, configuration-based attacks like this one pose a significant threat and are expected to become more common.
"Because the centralized nature of configurations makes them a single point of truth, they are a lucrative target for threat actors. As such, organizations should prioritize security of configuration files and other centralized components in applications. modern," the researchers conclude.
After disclosing the flaw to HashiCorp, the company released patches 1.13.1, 1.12.5, and 1.11.9.
"This vulnerability in HashiCorp's Vault project underscores the importance of restricting access to critical tools and implementing proper input validation to prevent SQL injection attacks," said Ron Vider, CTO and co-founder of Oxeye. "To protect your environment, quickly applying patches and updating security policies will prevent successful attacks."