Filtered by vendor Hashicorp
Subscriptions
Total
144 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-32923 | 1 Hashicorp | 1 Vault | 2022-10-25 | 7.4 High |
| HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. | ||||
| CVE-2021-3282 | 1 Hashicorp | 1 Vault | 2022-10-25 | 7.5 High |
| HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2. | ||||
| CVE-2020-28053 | 1 Hashicorp | 1 Consul | 2022-10-25 | 6.5 Medium |
| HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6. | ||||
| CVE-2020-25864 | 1 Hashicorp | 1 Consul | 2022-10-25 | 6.1 Medium |
| HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. | ||||
| CVE-2021-28156 | 1 Hashicorp | 1 Consul | 2022-10-25 | 7.5 High |
| HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10. | ||||
| CVE-2020-25201 | 1 Hashicorp | 1 Consul | 2022-10-25 | 7.5 High |
| HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5. | ||||
| CVE-2021-32574 | 1 Hashicorp | 1 Consul | 2022-10-25 | 7.5 High |
| HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1. | ||||
| CVE-2022-41606 | 1 Hashicorp | 1 Nomad | 2022-10-13 | 6.5 Medium |
| HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0. | ||||
| CVE-2022-29810 | 1 Hashicorp | 1 Go-getter | 2022-10-06 | 5.5 Medium |
| The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. | ||||
| CVE-2021-38698 | 1 Hashicorp | 1 Consul | 2022-09-14 | 6.5 Medium |
| HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2. | ||||
| CVE-2021-36213 | 1 Hashicorp | 1 Consul | 2022-09-14 | 7.5 High |
| HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1. | ||||
| CVE-2020-25594 | 1 Hashicorp | 1 Vault | 2022-09-14 | 5.3 Medium |
| HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. | ||||
| CVE-2021-3024 | 1 Hashicorp | 1 Vault | 2022-09-14 | 5.3 Medium |
| HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. | ||||
| CVE-2022-36130 | 1 Hashicorp | 1 Boundary | 2022-09-09 | 9.9 Critical |
| HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct scopes, allowing potential privilege escalation for authorized users of another scope. Fixed in Boundary 0.10.2. | ||||
| CVE-2021-27668 | 1 Hashicorp | 1 Vault | 2022-09-08 | 5.3 Medium |
| HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3. | ||||
| CVE-2021-37219 | 1 Hashicorp | 1 Consul | 2022-09-08 | 8.8 High |
| HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. | ||||
| CVE-2021-41802 | 1 Hashicorp | 1 Vault | 2022-09-08 | 5.4 Medium |
| HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4. | ||||
| CVE-2021-43998 | 1 Hashicorp | 1 Vault | 2022-09-08 | 6.5 Medium |
| HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0. | ||||
| CVE-2021-45042 | 1 Hashicorp | 1 Vault | 2022-09-08 | 4.9 Medium |
| In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0. | ||||
| CVE-2021-38554 | 1 Hashicorp | 1 Vault | 2022-09-08 | 5.3 Medium |
| HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. | ||||