Filtered by vendor Hashicorp
Subscribe
Total
167 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43998 | 1 Hashicorp | 1 Vault | 2022-09-08 | 5.5 MEDIUM | 6.5 MEDIUM |
| HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0. | |||||
| CVE-2021-45042 | 1 Hashicorp | 1 Vault | 2022-09-08 | 6.8 MEDIUM | 4.9 MEDIUM |
| In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0. | |||||
| CVE-2021-38554 | 1 Hashicorp | 1 Vault | 2022-09-08 | 3.5 LOW | 5.3 MEDIUM |
| HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. | |||||
| CVE-2022-38149 | 1 Hashicorp | 1 Consul Template | 2022-09-01 | N/A | 7.5 HIGH |
| HashiCorp Consul Template up to 0.27.2, 0.28.2, and 0.29.1 may expose the contents of Vault secrets in the error returned by the *template.Template.Execute method, when given a template using Vault secret contents incorrectly. Fixed in 0.27.3, 0.28.3, and 0.29.2. | |||||
| CVE-2022-24685 | 1 Hashicorp | 1 Nomad | 2022-08-11 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6. | |||||
| CVE-2022-25374 | 1 Hashicorp | 1 Terraform Enterprise | 2022-08-11 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1. | |||||
| CVE-2021-40862 | 1 Hashicorp | 1 Terraform Enterprise | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1. | |||||
| CVE-2021-3153 | 1 Hashicorp | 1 Terraform Enterprise | 2022-07-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Fixed in v202103-1. | |||||
| CVE-2021-42135 | 1 Hashicorp | 1 Vault | 2022-07-12 | 4.9 MEDIUM | 8.1 HIGH |
| HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials. | |||||
| CVE-2022-30324 | 1 Hashicorp | 1 Nomad | 2022-06-10 | 7.5 HIGH | 9.8 CRITICAL |
| HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host. Fixed in 1.1.14, 1.2.8, and 1.3.1. | |||||
| CVE-2022-24686 | 1 Hashicorp | 1 Nomad | 2022-05-11 | 4.3 MEDIUM | 5.9 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6 | |||||
| CVE-2022-24683 | 1 Hashicorp | 1 Nomad | 2022-05-11 | 7.8 HIGH | 7.5 HIGH |
| HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. | |||||
| CVE-2021-41805 | 1 Hashicorp | 1 Consul | 2022-03-31 | 6.5 MEDIUM | 8.8 HIGH |
| HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace. | |||||
| CVE-2021-44139 | 1 Hashicorp | 1 Sentinel | 2022-03-29 | 5.0 MEDIUM | 7.5 HIGH |
| Sentinel 1.8.2 is vulnerable to Server-side request forgery (SSRF). | |||||
| CVE-2022-25244 | 1 Hashicorp | 1 Vault | 2022-03-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10. | |||||
| CVE-2020-13223 | 1 Hashicorp | 1 Vault | 2022-02-21 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2. | |||||
| CVE-2020-7218 | 1 Hashicorp | 1 Nomad | 2022-02-20 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 0.10.3. | |||||
| CVE-2021-41865 | 1 Hashicorp | 1 Nomad | 2021-10-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. Fixed in 1.1.6. | |||||
| CVE-2021-37218 | 1 Hashicorp | 1 Nomad | 2021-09-13 | 6.5 MEDIUM | 8.8 HIGH |
| HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.0.10 and 1.1.4. | |||||
| CVE-2020-25816 | 1 Hashicorp | 1 Vault | 2021-09-07 | 4.9 MEDIUM | 6.8 MEDIUM |
| HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4. | |||||