Affected by GO-2024-2617 and 18 other vulnerabilities

GO-2024-2617: Authentication bypass in github.com/hashicorp/vault

GO-2024-2690: HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault

GO-2024-2921: HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault

GO-2024-2982: Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions in github.com/hashicorp/vault

GO-2024-3162: Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault

GO-2024-3191: Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault

GO-2024-3246: Hashicorp Vault vulnerable to denial of service through memory exhaustion in github.com/hashicorp/vault

GO-2025-3662: Hashicorp Vault Community vulnerable to Incorrect Authorization in github.com/hashicorp/vault

GO-2025-3663: Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information in github.com/hashicorp/vault

GO-2025-3836: Hashicorp Vault has Incorrect Validation for Non-CA Certificates in github.com/hashicorp/vault

GO-2025-3837: Hashicorp Vault has Privilege Escalation Vulnerability in github.com/hashicorp/vault

GO-2025-3838: Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration in github.com/hashicorp/vault

GO-2025-3839: Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users in github.com/hashicorp/vault

GO-2025-3840: Hashicorp Vault has Lockout Feature Authentication Bypass in github.com/hashicorp/vault

GO-2025-3841: Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault

GO-2025-3842: Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability in github.com/hashicorp/vault

GO-2025-3848: HashiCorp Vault ldap auth method may not have correctly enforced MFA in github.com/hashicorp/vault

GO-2025-3924: HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads in github.com/hashicorp/vault

GO-2025-4070: HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass in github.com/hashicorp/vault

config

package

v1.14.7 Latest Latest Go to latest Published: Nov 21, 2023 License: MPL-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/hashicorp/vault

Links

Open Source Insights

Documentation ¶

Constants ¶

View Source

const (
	DisableIdleConnsEnv  = "VAULT_PROXY_DISABLE_IDLE_CONNECTIONS"
	DisableKeepAlivesEnv = "VAULT_PROXY_DISABLE_KEEP_ALIVES"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type APIProxy ¶

type APIProxy struct {
	UseAutoAuthTokenRaw interface{} `hcl:"use_auto_auth_token"`
	UseAutoAuthToken    bool        `hcl:"-"`
	ForceAutoAuthToken  bool        `hcl:"-"`
	EnforceConsistency  string      `hcl:"enforce_consistency"`
	WhenInconsistent    string      `hcl:"when_inconsistent"`
}

APIProxy contains any configuration needed for proxy mode

type AutoAuth ¶

type AutoAuth struct {
	Method *Method `hcl:"-"`
	Sinks  []*Sink `hcl:"sinks"`

	// NOTE: This is unsupported outside of testing and may disappear at any
	// time.
	EnableReauthOnNewCredentials bool `hcl:"enable_reauth_on_new_credentials"`
}

AutoAuth is the configured authentication method and sinks

type Cache ¶

type Cache struct {
	Persist      *agentproxyshared.PersistConfig `hcl:"persist"`
	InProcDialer transportDialer                 `hcl:"-"`
}

Cache contains any configuration needed for Cache mode

type Config ¶

type Config struct {
	*configutil.SharedConfig `hcl:"-"`

	AutoAuth                  *AutoAuth `hcl:"auto_auth"`
	ExitAfterAuth             bool      `hcl:"exit_after_auth"`
	Cache                     *Cache    `hcl:"cache"`
	APIProxy                  *APIProxy `hcl:"api_proxy""`
	Vault                     *Vault    `hcl:"vault"`
	DisableIdleConns          []string  `hcl:"disable_idle_connections"`
	DisableIdleConnsAPIProxy  bool      `hcl:"-"`
	DisableIdleConnsAutoAuth  bool      `hcl:"-"`
	DisableKeepAlives         []string  `hcl:"disable_keep_alives"`
	DisableKeepAlivesAPIProxy bool      `hcl:"-"`
	DisableKeepAlivesAutoAuth bool      `hcl:"-"`
}

Config is the configuration for Vault Proxy.

func LoadConfig ¶

func LoadConfig(path string) (*Config, error)

LoadConfig loads the configuration at the given path, regardless if it's a file or directory.

func LoadConfigDir ¶

func LoadConfigDir(dir string) (*Config, error)

LoadConfigDir loads the configuration at the given path if it's a directory

func LoadConfigFile ¶

func LoadConfigFile(path string) (*Config, error)

LoadConfigFile loads the configuration at the given path if it's a file

func NewConfig ¶

func NewConfig() *Config

func (*Config) Merge ¶

func (c *Config) Merge(c2 *Config) *Config

Merge merges two Proxy configurations.

func (*Config) Prune ¶

func (c *Config) Prune()

func (*Config) ValidateConfig ¶

func (c *Config) ValidateConfig() error

ValidateConfig validates a Vault configuration after it has been fully merged together, to ensure that required combinations of configs are there

type Method ¶

type Method struct {
	Type          string
	MountPath     string        `hcl:"mount_path"`
	WrapTTLRaw    interface{}   `hcl:"wrap_ttl"`
	WrapTTL       time.Duration `hcl:"-"`
	MinBackoffRaw interface{}   `hcl:"min_backoff"`
	MinBackoff    time.Duration `hcl:"-"`
	MaxBackoffRaw interface{}   `hcl:"max_backoff"`
	MaxBackoff    time.Duration `hcl:"-"`
	Namespace     string        `hcl:"namespace"`
	ExitOnError   bool          `hcl:"exit_on_err"`
	Config        map[string]interface{}
}

Method represents the configuration for the authentication backend

type Retry ¶

type Retry struct {
	NumRetries int `hcl:"num_retries"`
}

type Sink ¶

type Sink struct {
	Type       string
	WrapTTLRaw interface{}   `hcl:"wrap_ttl"`
	WrapTTL    time.Duration `hcl:"-"`
	DHType     string        `hcl:"dh_type"`
	DeriveKey  bool          `hcl:"derive_key"`
	DHPath     string        `hcl:"dh_path"`
	AAD        string        `hcl:"aad"`
	AADEnvVar  string        `hcl:"aad_env_var"`
	Config     map[string]interface{}
}

Sink defines a location to write the authenticated token

type Vault ¶

type Vault struct {
	Address          string      `hcl:"address"`
	CACert           string      `hcl:"ca_cert"`
	CAPath           string      `hcl:"ca_path"`
	TLSSkipVerify    bool        `hcl:"-"`
	TLSSkipVerifyRaw interface{} `hcl:"tls_skip_verify"`
	ClientCert       string      `hcl:"client_cert"`
	ClientKey        string      `hcl:"client_key"`
	TLSServerName    string      `hcl:"tls_server_name"`
	Retry            *Retry      `hcl:"retry"`
}

Vault contains configuration for connecting to Vault servers

Source Files ¶

View all Source files

config.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL