VYPR
← All advisories
High severityNVD Advisory· Published Jun 10, 2020· Updated Aug 4, 2024

CVE-2020-13223

CVE-2020-13223

Description

HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

HashiCorp Vault and Vault Enterprise logged proxy environment variables that could contain sensitive credentials.

Vulnerability

Overview

CVE-2020-13223 describes an information disclosure vulnerability in HashiCorp Vault and Vault Enterprise. The software logged proxy environment variables—such as http_proxy, https_proxy, and no_proxy—without redacting any embedded credentials. This could expose usernames and passwords if those environment variables contained full URLs with authentication information [1][2].

Exploitation

No authentication or special privileges are required to trigger the logging; the vulnerable code runs during Vault server startup and recovery mode. The proxy environment variables are read from the system environment and then written to the log using logger.Info, making them visible in any location where those logs are stored or reviewed [3]. An attacker who can access the server's log files (either locally or via a log aggregation system) could retrieve any credentials embedded in the proxy URLs.

Impact

If an administrator configured Vault with proxy environment variables that included credentials (e.g., http://user:password@proxy:8080), those credentials would be written in plaintext to the log. An attacker with access to the logs could obtain sensitive authentication material, potentially allowing further compromise of network resources reachable through the proxy [1][4].

Mitigation

HashiCorp released fixes in Vault versions 1.3.6 and 1.4.2. The patch introduced a new function, logProxyEnvironmentVariables, which parses the proxy URL, redacts the username and password portions, and then logs the sanitized string [3]. Users should upgrade to a patched version. No workaround is available other than ensuring proxy environment variables do not contain credentials or restricting access to Vault logs.

References
  1. GitHub - hashicorp/vault: A tool for secrets management, encryption as a service, and privileged access management
  2. NVD - CVE-2020-13223
  3. Don't include username or password of proxy env vars when logging the… · hashicorp/vault@e52f347
  4. vault/CHANGELOG.md at main · hashicorp/vault

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/hashicorp/vaultGo
>= 1.3.0, < 1.3.61.3.6
github.com/hashicorp/vaultGo
>= 1.4.0, < 1.4.21.4.2

Affected products

3

Patches

2
87f47c216cf1

changelog++

https://github.com/hashicorp/vaultMeggieMay 21, 2020via ghsa
commit
1 file changed · +3 2
  • CHANGELOG.md+3 2 modified
    @@ -29,7 +29,8 @@ BUG FIXES:
 ## 1.4.2 (May 21st, 2020)
 
 SECURITY:
-* core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password [[GH-9022](https://github.com/hashicorp/vault/pull/9022)]
+* core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4 and 1.4.2, as well as older versions of Vault [[GH-9022](https://github.com/hashicorp/vault/pull/9022)]
+* secrets/gcp: Fix a regression in 1.4.0 where the system TTLs were being used instead of the configured backend TTLs for dynamic service accounts. This vulnerability is CVE-2020-12757. [[GH-85](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/85)]
 
 IMPROVEMENTS:
 
@@ -216,7 +217,7 @@ BUG FIXES:
 ## 1.3.6 (May 21st, 2020)
 
 SECURITY:
-* core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password [[GH-9022](https://github.com/hashicorp/vault/pull/9022)]
+* core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4 and 1.4.2, as well as older versions of Vault [[GH-9022](https://github.com/hashicorp/vault/pull/9022)]
 
 BUG FIXES:
e52f34772aff

Don't include username or password of proxy env vars when logging them. (#9022)

https://github.com/hashicorp/vaultncabatoffMay 19, 2020via ghsa
commit
1 file changed · +27 7
  • command/server.go+27 7 modified
    @@ -445,9 +445,7 @@ func (c *ServerCommand) runRecoveryMode() int {
 		vault.DefaultMaxRequestDuration = config.DefaultMaxRequestDuration
 	}
 
-	proxyCfg := httpproxy.FromEnvironment()
-	c.logger.Info("proxy environment", "http_proxy", proxyCfg.HTTPProxy,
-		"https_proxy", proxyCfg.HTTPSProxy, "no_proxy", proxyCfg.NoProxy)
+	logProxyEnvironmentVariables(c.logger)
 
 	// Initialize the storage backend
 	factory, exists := c.PhysicalBackends[config.Storage.Type]
@@ -684,6 +682,31 @@ func (c *ServerCommand) runRecoveryMode() int {
 	return 0
 }
 
+func logProxyEnvironmentVariables(logger hclog.Logger) {
+	proxyCfg := httpproxy.FromEnvironment()
+	cfgMap := map[string]string{
+		"http_proxy":  proxyCfg.HTTPProxy,
+		"https_proxy": proxyCfg.HTTPSProxy,
+		"no_proxy":    proxyCfg.NoProxy,
+	}
+	for k, v := range cfgMap {
+		u, err := url.Parse(v)
+		if err != nil {
+			// Env vars may contain URLs or host:port values.  We only care
+			// about the former.
+			continue
+		}
+		if _, ok := u.User.Password(); ok {
+			u.User = url.UserPassword("redacted-username", "redacted-password")
+		} else if user := u.User.Username(); user != "" {
+			u.User = url.User("redacted-username")
+		}
+		cfgMap[k] = u.String()
+	}
+	logger.Info("proxy environment", "http_proxy", cfgMap["http_proxy"],
+		"https_proxy", cfgMap["https_proxy"], "no_proxy", cfgMap["no_proxy"])
+}
+
 func (c *ServerCommand) adjustLogLevel(config *server.Config, logLevelWasNotSet bool) (string, error) {
 	var logLevelString string
 	if config.LogLevel != "" && logLevelWasNotSet {
@@ -894,10 +917,7 @@ func (c *ServerCommand) Run(args []string) int {
 		vault.DefaultMaxRequestDuration = config.DefaultMaxRequestDuration
 	}
 
-	// log proxy settings
-	proxyCfg := httpproxy.FromEnvironment()
-	c.logger.Info("proxy environment", "http_proxy", proxyCfg.HTTPProxy,
-		"https_proxy", proxyCfg.HTTPSProxy, "no_proxy", proxyCfg.NoProxy)
+	logProxyEnvironmentVariables(c.logger)
 
 	// If mlockall(2) isn't supported, show a warning. We disable this in dev
 	// because it is quite scary to see when first using Vault. We also disable

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.