Filtered by vendor Hashicorp
Subscribe
Total
140 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25244 | 1 Hashicorp | 1 Vault | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10. | |||||
| CVE-2022-25374 | 1 Hashicorp | 1 Terraform Enterprise | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1. | |||||
| CVE-2022-30322 | 1 Hashicorp | 1 Go-getter | 2024-02-04 | 7.5 HIGH | 8.6 HIGH |
| go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0. | |||||
| CVE-2022-30321 | 1 Hashicorp | 1 Go-getter | 2024-02-04 | 7.5 HIGH | 8.6 HIGH |
| go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0. | |||||
| CVE-2022-24686 | 1 Hashicorp | 1 Nomad | 2024-02-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6 | |||||
| CVE-2022-29153 | 2 Fedoraproject, Hashicorp | 2 Fedora, Consul | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5. | |||||
| CVE-2022-30324 | 1 Hashicorp | 1 Nomad | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host. Fixed in 1.1.14, 1.2.8, and 1.3.1. | |||||
| CVE-2021-43998 | 1 Hashicorp | 1 Vault | 2024-02-04 | 5.5 MEDIUM | 6.5 MEDIUM |
| HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0. | |||||
| CVE-2021-42135 | 1 Hashicorp | 1 Vault | 2024-02-04 | 4.9 MEDIUM | 8.1 HIGH |
| HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials. | |||||
| CVE-2021-45042 | 1 Hashicorp | 1 Vault | 2024-02-04 | 6.8 MEDIUM | 4.9 MEDIUM |
| In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0. | |||||
| CVE-2021-41802 | 1 Hashicorp | 1 Vault | 2024-02-04 | 5.5 MEDIUM | 5.4 MEDIUM |
| HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4. | |||||
| CVE-2021-41865 | 1 Hashicorp | 1 Nomad | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. Fixed in 1.1.6. | |||||
| CVE-2021-43415 | 1 Hashicorp | 1 Nomad | 2024-02-04 | 6.0 MEDIUM | 8.8 HIGH |
| HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1. | |||||
| CVE-2021-41805 | 1 Hashicorp | 1 Consul | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace. | |||||
| CVE-2021-40862 | 1 Hashicorp | 1 Terraform Enterprise | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1. | |||||
| CVE-2021-32923 | 1 Hashicorp | 1 Vault | 2024-02-04 | 5.8 MEDIUM | 7.4 HIGH |
| HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. | |||||
| CVE-2021-28156 | 1 Hashicorp | 1 Consul | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10. | |||||
| CVE-2021-32575 | 1 Hashicorp | 1 Nomad | 2024-02-04 | 3.3 LOW | 6.5 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1. | |||||
| CVE-2021-37219 | 1 Hashicorp | 1 Consul | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. | |||||
| CVE-2021-32074 | 1 Hashicorp | 1 Vault-action | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking. | |||||