Spring Vault is a popular Java-based library that provides client-side support for accessing and managing secrets in HashiCorp's Vault. Recently, a security vulnerability known as CVE-2023-20859 was discovered in Spring Vault, affecting versions 3..x prior to 3..2, versions 2.3.x prior to 2.3.3, and older releases. This vulnerability could result in the insertion of sensitive information, such as access tokens, into application log files during the process of revoking a Vault batch token. This poses a potential security risk, as sensitive information leakage could be used by an attacker to gain unauthorized access to the Vault system.

In this post, we'll take an in-depth look at CVE-2023-20859, including the affected code, exploit details, and available mitigations. Additionally, we'll provide links to original references for those seeking more information.

Affected Code Snippet

The vulnerability exists within the ClientAuthentication class in the Spring Vault library. When revoking a batch token, the affected code inadvertently logs the X-Vault-Token header with the authorization token. The ClientAuthentication class is part of the org.springframework.vault.authentication package.

public class ClientAuthentication {

    //...

    public void revoke(final VaultToken token) {
        //...

        try {
            restTemplate.postForEntity("/v1/auth/token/revoke-self", null, String.class);
        } 
        catch (RestClientException e) {
            logger.error("Failed to revoke Vault token " + token.toString(), e);
        }
}

In the snippet above, the logger.error(...) line logs the token value, leading to the unintentional disclosure of sensitive information in the application logs.

Exploit Details

An attacker who gains access to the application logs containing the sensitive token information can use this data to authenticate and gain unauthorized access to the Vault system. With this access, the attacker could potentially exfiltrate, modify, or delete sensitive information, compromising the security and integrity of the system.

Mitigations

To address this vulnerability, developers should upgrade their Spring Vault implementation to version 3..2, 2.3.3, or newer, where the issue has been fixed. In the updated versions, the sensitive token information is no longer exposed in the application logs. Additionally, it's recommended to monitor and restrict access to application log files, ensuring only authorized personnel have access to this data.

For more details about CVE-2023-20859, refer to the following resources

- Official Spring Advisory: https://github.com/spring-projects/spring-vault/security/advisories/GHSA-9854-8x8x-gc78
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20859
- National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2023-20859

Conclusion

CVE-2023-20859 is a concerning vulnerability that could result in the unintentional leakage of sensitive token information. By updating to the patched versions of Spring Vault and following best practices for securing application logs, developers can effectively mitigate this security risk and ensure the confidentiality and integrity of their Vault systems.

Timeline

Published on: 03/23/2023 21:15:00 UTC
Last modified on: 03/28/2023 13:46:00 UTC