Filtered by vendor Hashicorp
Subscribe
Total
117 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-25243 | 1 Hashicorp | 1 Vault | 2022-11-09 | 3.5 LOW | 6.5 MEDIUM |
"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4. | |||||
CVE-2022-36182 | 1 Hashicorp | 1 Boundary | 2022-10-31 | N/A | 6.1 MEDIUM |
Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site. | |||||
CVE-2021-32923 | 1 Hashicorp | 1 Vault | 2022-10-25 | 5.8 MEDIUM | 7.4 HIGH |
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. | |||||
CVE-2021-38553 | 1 Hashicorp | 1 Vault | 2022-10-25 | 2.1 LOW | 4.4 MEDIUM |
HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0. | |||||
CVE-2021-3282 | 1 Hashicorp | 1 Vault | 2022-10-25 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2. | |||||
CVE-2021-28156 | 1 Hashicorp | 1 Consul | 2022-10-25 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10. | |||||
CVE-2020-28053 | 1 Hashicorp | 1 Consul | 2022-10-25 | 4.0 MEDIUM | 6.5 MEDIUM |
HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6. | |||||
CVE-2020-25864 | 1 Hashicorp | 1 Consul | 2022-10-25 | 4.3 MEDIUM | 6.1 MEDIUM |
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. | |||||
CVE-2020-25201 | 1 Hashicorp | 1 Consul | 2022-10-25 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5. | |||||
CVE-2021-32574 | 1 Hashicorp | 1 Consul | 2022-10-25 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1. | |||||
CVE-2022-42717 | 2 Hashicorp, Linux | 2 Vagrant, Linux Kernel | 2022-10-18 | N/A | 7.8 HIGH |
An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation, non-privileged users on the host can leverage a wildcard in the sudoers configuration to execute arbitrary commands as root. | |||||
CVE-2022-41606 | 1 Hashicorp | 1 Nomad | 2022-10-13 | N/A | 6.5 MEDIUM |
HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0. | |||||
CVE-2022-29810 | 1 Hashicorp | 1 Go-getter | 2022-10-06 | 2.1 LOW | 5.5 MEDIUM |
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. | |||||
CVE-2022-40716 | 1 Hashicorp | 1 Consul | 2022-09-26 | N/A | 6.5 MEDIUM |
HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2." | |||||
CVE-2021-41803 | 1 Hashicorp | 1 Consul | 2022-09-23 | N/A | 7.1 HIGH |
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2." | |||||
CVE-2021-38698 | 1 Hashicorp | 1 Consul | 2022-09-14 | 4.0 MEDIUM | 6.5 MEDIUM |
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2. | |||||
CVE-2021-36213 | 1 Hashicorp | 1 Consul | 2022-09-14 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1. | |||||
CVE-2020-25594 | 1 Hashicorp | 1 Vault | 2022-09-14 | 5.0 MEDIUM | 5.3 MEDIUM |
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. | |||||
CVE-2021-3024 | 1 Hashicorp | 1 Vault | 2022-09-14 | 5.0 MEDIUM | 5.3 MEDIUM |
HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. | |||||
CVE-2022-36130 | 1 Hashicorp | 1 Boundary | 2022-09-09 | N/A | 9.9 CRITICAL |
HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct scopes, allowing potential privilege escalation for authorized users of another scope. Fixed in Boundary 0.10.2. |