CVE-2023-0690: 
NixOS vulnerability analysis and mitigation

HashiCorp Boundary versions 0.10.0 through 0.11.2 contain a security vulnerability (CVE-2023-0690) where credentials created after an automatic rotation may not be properly encrypted when using a PKI-based worker with a Key Management Service (KMS) configuration. The vulnerability was discovered and disclosed on February 8, 2023, affecting the credential storage mechanism in Boundary PKI workers (HashiCorp Advisory).

The vulnerability occurs in configurations using PKI-based worker authentication with a defined KMS for 'worker-auth-storage'. When credential rotation occurs, the system fails to encrypt new credentials using the configured KMS, resulting in plaintext storage on the Boundary PKI worker's disk. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) by NIST and 5.0 (MEDIUM) by HashiCorp Inc., with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability results in credentials being stored in plaintext on the Boundary PKI worker's disk, potentially exposing sensitive information. In some cases, credentials might be encrypted with the wrong KMS, rendering them unusable for operations (HashiCorp Advisory).

The vulnerability has been fixed in Boundary version 0.12.0. After upgrading, users should either wait for the next worker authentication rotation (typically within one week) or delete and re-authorize the worker to generate new encrypted credentials. The fix ensures proper encryption of credentials during rotation (HashiCorp Advisory).