Skip to content

PRP: Secret extractor for HashiCorp Cloud Platform API keys #1253

New issue
New issue
Open
#1321
Open
PRP: Secret extractor for HashiCorp Cloud Platform API keys#1253
#1321
Assignees
thevilledev
Labels
PRPPatch Reward Program: This label is added to all PRP related issues for easy filteringPRP:AcceptedPatch Reward Program: This issue has been accepted as a PRP entry.
@thevilledev

Description

@thevilledev
thevilledev
opened on Sep 3, 2025

  • Secret name: HashiCorp Cloud Platform (HCP) API keys

  • Risk in exposing the secret: HCP is a managed platform offering HashiCorp products-as-a-service. With exposed HCP API keys attackers can gain access to sensitive cloud resources, manage Vault secrets, provision infrastructure, escalate privileges, and potentially access or manipulate production data and billing information. Furthermore the secrets can be leveraged to access other services, such as cloud environments (GCP, Azure, and so on).

  • Validation method, if any:

    • An access token can be created by calling the oauth2 token endpoint with HCP_CLIENT_ID and HCP_CLIENT_SECRET.
    • With the HCP_ACCESS_TOKEN query the HCP API endpoints (such as the /v1/organizations and /v1/projects endpoints) to check if the exposed API key is able to access valid organization or project data. See additional details on IAM policy here.

  • Resources:

Metadata

Metadata

Assignees

Labels

PRPPatch Reward Program: This label is added to all PRP related issues for easy filteringPRP:AcceptedPatch Reward Program: This issue has been accepted as a PRP entry.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions