Collaborate Disseminate
Oxeye discovered a new vulnerability (CVE-2023-0620) in the HashiCorp Vault Project, an identity-based secrets and encryption management system that controls access to API encryption keys, passwords, and certificates. The vulnerability was an SQL injec… Continue reading HashiCorp Vault vulnerability could lead to RCE, patch today! (CVE-2023-0620)
I have deployed HashiCorp Vault in a Linux VM, and I want it to connect to an instance of MySQL database running on my host machine.
In my database (host machine IP 100.101.102.103), I have created a user especially for this purpose:
CREAT… Continue reading Unsupported operation when trying to remotely create new MySQL user via HashiCorp Vault [migrated]
HashiCorp Vault Agent creates a sidecar that talks to Vault server and injects secrets as files into containers. The agent presumably uses Kubernetes Service Account in some way. But ultimately there must be a secret zero somewhere, protec… Continue reading How Vault agent solves Secret Zero challenge in Kubernetes?
I downloaded Hashicorp Vault. I "installed" it which is just unzipping the archive and moving the vault application to wherever I want to run it from. I also added the path to the PATHS environment variable so that I can run the … Continue reading I started a vault server with the -dev flag and the UI is empty. What am I doing wrong? [closed]
One the Hashicorp Vault basic feature is secret leasing. They state:
Leasing and Renewal: All secrets in Vault have a lease associated with them. At the end of the lease, Vault will automatically revoke that secret. Clients are able to re… Continue reading What are the advantages of password "leasing"
One the Hashicorp Vault basic feature is secret leasing. They state:
Leasing and Renewal: All secrets in Vault have a lease associated with them. At the end of the lease, Vault will automatically revoke that secret. Clients are able to re… Continue reading What are the advantages of password "leasing"
Is it common practice or are there pitfalls to using Vault by HashiCorp not only for storing secret parameters but for other app configuration key-values?
In Jenkins there is a way to see secrets in plaintext by using Manage Jenkins > Script Console feature as described here. The access to this console is limited to Jenkins administrator only but still I don’t want them to be able to see … Continue reading Can master secret to Hashicorp Vault can be retrieved from Jenkins?
Red Hat announced Red Hat OpenShift 4.8, the latest version of the enterprise Kubernetes platform. Providing a powerful foundation to develop and connect diverse workloads across the hybrid cloud, Red Hat OpenShift 4.8 helps organizations accelerate th… Continue reading Red Hat OpenShift 4.8 helps organizations accelerate the creation of new cloud-native applications
1Password launched Secrets Automation, a new way to easily secure, manage and orchestrate the rapidly expanding infrastructure secrets required in a modern enterprise. Secrets such as corporate credentials, API tokens, keys and certificates can number … Continue reading 1Password Secrets Automation helps businesses secure and manage secrets