7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32074

GHSA ID

GHSA-4mgv-m5cm-f9h7

EPSS Score

0.56496%

CWE

CWE-532

Published

5/24/2022

Updated

1/25/2024

KEV Status

Technology

GitHub Actions

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32074

CVE-2021-32074: Vault GitHub Action did not correctly mask multi-line secrets in output

HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking.

The vault-action implementation did not correctly handle the marking of multi-line variables. As a result, multi-line secrets were not correctly masked in vault-action output.

Remediation: Customers using vault-action should evaluate the risk associated with this issue, and consider upgrading to vault-action 2.2.0 or newer. Please refer to https://github.com/marketplace/actions/hashicorp-vault for more information.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32074

GHSA ID

GHSA-4mgv-m5cm-f9h7

EPSS Score

0.56496%

CWE

CWE-532

Published

5/24/2022

Updated

1/25/2024

KEV Status

Technology

GitHub Actions

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
hashicorp/vault-action	actions	< 2.2.0	2.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how secrets were processed in exportSecrets. The pre-patch code (vulnerable versions <2.2.0) used a single command.issue('add-mask', value) call for entire secret values. The commit 3526e1b shows this was replaced with a loop that splits multi-line values, removes carriage returns, and masks each non-empty line. The added tests in action.test.js specifically verify multi-line masking behavior, confirming the vulnerability existed in the original exportSecrets implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*i*orp v*ult-**tion (*k* V*ult *it*u* **tion) ***or* *.*.* *llows *tt**k*rs to o*t*in s*nsitiv* in*orm*tion *rom lo* *il*s ****us* * multi-lin* s**r*t w*s not *orr**tly r**ist*r** wit* *it*u* **tions *or lo* m*skin*. T** v*ult-**tion impl*m*nt*ti

Reasoning

T** vuln*r**ility st*ms *rom *ow s**r*ts w*r* pro**ss** in `*xportS**r*ts`. T** pr*-p*t** *o** (vuln*r**l* v*rsions <*.*.*) us** * sin*l* `*omm*n*.issu*('***-m*sk', v*lu*)` **ll *or *ntir* s**r*t v*lu*s. T** *ommit `*******` s*ows t*is w*s r*pl**** w

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-32074: Vault GitHub Action did not correctly mask multi-line secrets in output

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI