Filtered by vendor Hashicorp
Subscribe
Total
150 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-37219 | 1 Hashicorp | 1 Consul | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. | |||||
CVE-2021-37218 | 1 Hashicorp | 1 Nomad | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.0.10 and 1.1.4. | |||||
CVE-2021-36230 | 1 Hashicorp | 1 Terraform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token, allowing privilege escalation to organization owner. Fixed in v202107-1. | |||||
CVE-2021-36213 | 1 Hashicorp | 1 Consul | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1. | |||||
CVE-2021-32923 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. | |||||
CVE-2021-32575 | 1 Hashicorp | 1 Nomad | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1. | |||||
CVE-2021-32574 | 1 Hashicorp | 1 Consul | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1. | |||||
CVE-2021-32074 | 1 Hashicorp | 1 Vault-action | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking. | |||||
CVE-2021-30476 | 1 Hashicorp | 1 Terraform Provider | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1. | |||||
CVE-2021-29653 | 1 Hashicorp | 1 Vault | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1. | |||||
CVE-2021-28156 | 1 Hashicorp | 1 Consul | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10. | |||||
CVE-2021-27668 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3. | |||||
CVE-2021-27400 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1 | |||||
CVE-2020-8567 | 3 Google, Hashicorp, Microsoft | 3 Secret Manager Provider For Secret Store Csi Driver, Vault Provider For Secrets Store Csi Driver, Azure Key Vault Provider For Secrets Store Csi Driver | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods. | |||||
CVE-2020-7956 | 1 Hashicorp | 1 Nomad | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3. | |||||
CVE-2020-7955 | 1 Hashicorp | 1 Consul | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3. | |||||
CVE-2020-7220 | 1 Hashicorp | 1 Vault | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2. | |||||
CVE-2020-7219 | 1 Hashicorp | 1 Consul | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. | |||||
CVE-2020-7218 | 1 Hashicorp | 1 Nomad | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 0.10.3. | |||||
CVE-2020-35453 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1. |