{ "schema_version": "1.4.0", "id": "GHSA-6239-28c2-9mrm", "modified": "2022-08-04T11:22:29Z", "published": "2021-08-30T17:22:38Z", "aliases": [ "CVE-2021-38554" ], "summary": "Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault", "details": "HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/hashicorp/vault" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.6.6" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/hashicorp/vault" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.7.0" }, { "fixed": "1.7.4" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38554" }, { "type": "WEB", "url": "https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166" }, { "type": "PACKAGE", "url": "https://github.com/hashicorp/vault" }, { "type": "WEB", "url": "https://github.com/hashicorp/vault/releases/tag/v1.6.6" }, { "type": "WEB", "url": "https://github.com/hashicorp/vault/releases/tag/v1.7.4" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202207-01" } ], "database_specific": { "cwe_ids": [ "CWE-212" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-08-30T17:14:06Z", "nvd_published_at": "2021-08-13T16:15:00Z" } }