Improperly secured API vulnerability.
11 May 2020 10 AM PDT (Pacific Time, -7 hours)
Affected Replicated Classic Versions
2.10.0 – 2.32.3, 2.33.0 – 2.36.0, 2.37.0 – 2.37.1, 2.38.0 – 2.38.5, 2.39.0 – 2.39.3, 2.40.0 – 2.40.3, 2.41.0 – 2.41.0, 2.42.0 – 2.42.3
Patched Replicated Classic Versions
2.32.4, 2.37.2, 2.38.6, 2.39.4, 2.40.4, 2.41.1, 2.42.4 – 2.42.5, 2.43.0 – (all later versions)
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability in the versions of Replicated Classic listed above (“Affected Replicated Classic Versions”)
Description
Replicated Classic versions listed above have an improperly secured API that expose sensitive data from the Replicated Admin Console configuration. An attacker with network access to the Admin Console port (8800) on the Replicated Classic server could retrieve the TLS Keypair (Cert and Key) used to configure the Admin Console.
Timeline
This issue was discovered during a security review on 21 March 2020.
Patched versions were released on 22 March 2020.
This advisory was embargoed until 11 May 2020.
Acknowledgements
Credit for finding and disclosing this vulnerability goes to the security team at HashiCorp.
