via RetryPolicy of state components (Medium) DAP-01-011 WP2: HTTP Parameter Pollution in Hashicorp secret vault (Low) Orchestration Hardening Network Policy Zero-Trust Concepts RBAC Secrets Management DAP-01-011 WP2: HTTP Parameter Pollution in Hashicorp secret vault (Low) It was found that the SecretStore implementation of the Hashicorp’s secret vault is vulnerable to a HTTP Parameter Pollution vulnerability unintended for Dapr. Affected File: github.com/dapr/components-contrib@v0.8.0/secretstores/hashicorp/vault/vault.go Affected Code: func (v *vaultSecretStore) GetSecret(req secretstores.GetSecretRequest)

skip server config verify which is unsafe!") } Not all components follow this practice. The Hashicorp Vault Secretstore component labels the option “Insecure” but does not log a warning. Other components requests it. The attacker is likely to be an insider who has certain privileges. Example 1: Vault If the Vault SecretStore component does not receive a successful response from the remote store, Dapr copies https://github.com/dapr/components-contrib/blob/cfbac4d794b35e5da28d65a13369d33383fb6ad4/sec retstores/hashicorp/vault/vault.go#L247 19 Dapr security audit 2023 if httpresp.StatusCode != http.StatusOK { var b bytes

Parameter Pollution in Hashicorp secret vault (Low) Status: Open While reviewing the Dapr source code, it was noticed that the HTTP parameter pollution inside the Hashicorp vault code is still possible