Fix for arbitrary file reads vulnerabilities#23249
Conversation
github-actions
bot
added
the
theme/connect
santoshpulluri
added
the
backport/all
hc-github-team-consul-core
added
backport/1.22
santoshpulluri
added
backport/ent/1.22
hc-github-team-consul-core
added
backport/1.22
santoshpulluri
added
backport/1.22
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
29 similar comments
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @santoshpulluri! a backport is missing for this PR [23249] for versions [1.18,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
5 participants
Description
This PR fixes a security vulnerability in the Vault CA provider's authentication methods (Kubernetes, JWT, and AppRole) that allowed arbitrary file reads through path traversal attacks.
Root Cause:
The auth providers used os.ReadFile() directly on user-supplied file paths without proper validation, allowing attackers to read any file on the system by manipulating configuration parameters:
Solution
Implemented OS-level path traversal protection using Go's os.OpenRoot() function, which creates a chroot-like restriction preventing access outside designated directories.
Security Measures:
Whitelist Validation: Only allow file reads from pre-defined standard directories
OS-Level Enforcement: Use os.OpenRoot() to prevent path traversal and symlink escapes at the kernel level
Defense in Depth: Multiple layers of validation ensure security even if one layer has bugs
Allowed Directories:
Kubernetes Auth
JWT Auth
AppRole Auth:
Testing:
Tests use symbolic links from allowed directories to temporary test directories, respecting the security boundaries while enabling test execution.