Login Sign Up

CVE-2021-43837

8.4 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-43837 is a remote code execution vulnerability in vault-cli where secrets starting with '!template!' are interpreted as Jinja2 templates. Attackers who can manipulate vault secrets can execute arbitrary code on systems running vulnerable vault-cli versions. Organizations using vault-cli with untrusted vault content are affected.

💻 Affected Systems

Products:
  • vault-cli
Versions: All versions before 3.0.0
Operating Systems: All platforms running vault-cli
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is active by default when processing secrets with '!template!' prefix.

📦 What is this software?

Vault Cli by Vault Cli Project

View all CVEs affecting Vault Cli →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution leading to data theft, lateral movement, and persistent backdoors.

🟠

Likely Case

Privilege escalation and data exfiltration from systems where vault-cli processes secrets from partially trusted sources.

🟢

If Mitigated

No impact if vault content is fully trusted or rendering is disabled.

🌐 Internet-Facing: MEDIUM - Requires vault-cli exposure to untrusted inputs, which is less common in internet-facing deployments.
🏢 Internal Only: HIGH - Internal systems processing secrets from shared vaults with multiple contributors are at significant risk.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to write or modify vault secrets. Jinja2 SSTI techniques are well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.0

Vendor Advisory: https://github.com/peopledoc/vault-cli/security/advisories/GHSA-q34h-97wf-8r8j

Restart Required: No

Instructions:

1. Upgrade vault-cli to version 3.0.0 or later using pip: 'pip install --upgrade vault-cli>=3.0.0' 2. Verify installation with 'vault-cli --version'

🔧 Temporary Workarounds

Disable template rendering via environment variable

all

Set VAULT_CLI_RENDER=false to disable Jinja2 template processing

export VAULT_CLI_RENDER=false

Disable template rendering via command flag

all

Use --no-render flag with vault-cli commands

vault-cli --no-render get-all

Disable template rendering in configuration

all

Add 'render: false' to vault-cli configuration YAML file

echo 'render: false' >> ~/.config/vault-cli/config.yaml

🧯 If You Can't Patch

  • Implement strict access controls to vault secrets to prevent unauthorized modifications
  • Audit all vault secrets for '!template!' prefixes and remove or sanitize them

🔍 How to Verify

Check if Vulnerable:

Check vault-cli version with 'vault-cli --version' - versions below 3.0.0 are vulnerable

Check Version:

vault-cli --version

Verify Fix Applied:

Confirm version is 3.0.0+ and test that '!template!' secrets are no longer processed as templates

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from vault-cli context
  • Error logs related to Jinja2 template rendering

Network Indicators:

  • Unexpected outbound connections from systems running vault-cli

SIEM Query:

process_name:"vault-cli" AND (command_line:"!template!" OR command_line:"--no-render")

📊 Metadata

CVE ID: CVE-2021-43837
CVSS v3 Score: 8.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-74
Published: December 16, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43837, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)