VYPR

apk package

chainguard/vault-1.16

pkg:apk/chainguard/vault-1.16

Vulnerabilities (83)

  • CVE-2024-51744LowNov 4, 2024
    affected < 1.16.3-r6fixed 1.16.3-r6

    golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r

  • CVE-2024-34158HigSep 6, 2024
    affected < 1.16.3-r15fixed 1.16.3-r15

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

  • CVE-2024-34156HigSep 6, 2024
    affected < 1.16.3-r15fixed 1.16.3-r15

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

  • CVE-2024-34155MedSep 6, 2024
    affected < 1.16.3-r15fixed 1.16.3-r15

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

  • CVE-2024-8365Sep 2, 2024
    affected < 1.16.3-r29fixed 1.16.3-r29

    Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token ac

  • CVE-2024-6468Jul 11, 2024
    affected < 1.16.3-r29fixed 1.16.3-r29

    Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_auth

  • CVE-2024-6104Jun 24, 2024
    affected < 1.16.3-r15fixed 1.16.3-r15

    go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

  • CVE-2024-35255Jun 11, 2024
    affected < 1.16.3-r15fixed 1.16.3-r15

    Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

  • CVE-2024-24788MedMay 8, 2024
    affected < 1.16.3-r15fixed 1.16.3-r15

    A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

  • CVE-2024-24787MedMay 8, 2024
    affected < 1.16.3-r15fixed 1.16.3-r15

    On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.

  • CVE-2024-0406Apr 6, 2024
    affected < 1.16.3-r37fixed 1.16.3-r37

    A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or applic

  • CVE-2024-2660Apr 4, 2024
    affected < 0fixed 0

    Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterpri

  • CVE-2024-2048Mar 4, 2024
    affected < 0fixed 0

    Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to

  • CVE-2023-5954Nov 9, 2023
    affected < 0fixed 0

    HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

  • CVE-2023-5077Sep 28, 2023
    affected < 0fixed 0

    The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.

  • CVE-2023-3462Jul 31, 2023
    affected < 0fixed 0

    HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnera

  • CVE-2023-2121Jun 9, 2023
    affected < 0fixed 0

    Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.

  • CVE-2023-0665Mar 30, 2023
    affected < 0fixed 0

    HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance

  • CVE-2023-25000Mar 30, 2023
    affected < 0fixed 0

    HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the sea

  • CVE-2023-24999Mar 10, 2023
    affected < 0fixed 0

    HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.1

Page 4 of 5