x/vulndb: potential Go vuln in github.com/hashicorp/boundary: GHSA-9vrm-v9xv-x3xr

[GoVulnBot]

In GitHub Security Advisory GHSA-9vrm-v9xv-x3xr, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/hashicorp/boundary	0.12.0	>= 0.10.0, < 0.12.0

Cross references:

• Module github.com/hashicorp/boundary appears in issue #1090 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/hashicorp/boundary
      versions:
        - introduced: 0.10.0
          fixed: 0.12.0
      vulnerable_at: 0.11.2
      packages:
        - package: github.com/hashicorp/boundary
summary: |-
    HashiCorp Boundary Workers Store Rotated Credentials in Plaintext Even When Key
    Management Service Configured
description: |-
    HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using
    a PKI-based worker with a Key Management Service (KMS) defined in the
    configuration file, new credentials created after an automatic rotation may not
    have been encrypted via the intended KMS. This would result in the credentials
    being stored in plaintext on the Boundary PKI worker’s disk. This issue is
    fixed in version 0.12.0.
cves:
    - CVE-2023-0690
ghsas:
    - GHSA-9vrm-v9xv-x3xr
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2023-0690
    - web: https://discuss.hashicorp.com/t/hcsec-2023-03-boundary-workers-store-rotated-credentials-in-plaintext-even-when-key-management-service-configured/49907
    - advisory: https://github.com/advisories/GHSA-9vrm-v9xv-x3xr

[gopherbot]

Change https://go.dev/cl/508456 mentions this issue: data/excluded: batch add 14 excluded reports

[gopherbot]

Change https://go.dev/cl/592761 mentions this issue: data/reports: unexclude 75 reports

[gopherbot]

Change https://go.dev/cl/606787 mentions this issue: data/reports: unexclude 20 reports (7)