Bitnami package
vault
pkg:bitnami/vault
Vulnerabilities (71)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-24999 | — | < 1.10.11 | 1.10.11 | Mar 10, 2023 | HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.1 | ||
| CVE-2022-41316 | — | < 1.9.10 | 1.9.10 | Oct 12, 2022 | HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11. | ||
| CVE-2022-40186 | — | >= 1.8.0, < 1.9.9 | 1.9.9 | Sep 22, 2022 | An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an i | ||
| CVE-2022-36129 | — | >= 1.7.0, < 1.9.8 | 1.9.8 | Jul 26, 2022 | HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastr | ||
| CVE-2022-30689 | — | >= 1.10.0, < 1.10.3 | 1.10.3 | May 17, 2022 | HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. F | ||
| CVE-2022-25243 | — | >= 1.8.0, < 1.8.9 | 1.8.9 | Mar 7, 2022 | "Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault | ||
| CVE-2022-25244 | — | >= 1.7.0, < 1.7.10 | 1.7.10 | Mar 7, 2022 | Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10. | ||
| CVE-2021-45042 | — | >= 1.4.0, < 1.7.7 | 1.7.7 | Dec 17, 2021 | In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage back | ||
| CVE-2021-43998 | — | >= 0.11.0, < 1.7.6 | 1.7.6 | Nov 30, 2021 | HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed i | ||
| CVE-2021-42135 | — | >= 1.8.0, < 1.8.5 | 1.8.5 | Oct 11, 2021 | HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset | ||
| CVE-2021-41802 | — | < 1.7.5 | 1.7.5 | Oct 8, 2021 | HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8. | ||
| CVE-2021-27668 | — | >= 0.9.2, < 1.6.3 | 1.6.3 | Aug 31, 2021 | HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3. | ||
| CVE-2021-38553 | — | >= 1.4.0, < 1.8.0 | 1.8.0 | Aug 13, 2021 | HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0. | ||
| CVE-2021-38554 | — | < 1.8.0 | 1.8.0 | Aug 13, 2021 | HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. | ||
| CVE-2021-32923 | — | >= 0.10.0, < 1.5.9 | 1.5.9 | Jun 3, 2021 | HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, | ||
| CVE-2021-27400 | — | < 1.6.4 | 1.6.4 | Apr 22, 2021 | HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1 | ||
| CVE-2021-29653 | — | >= 1.5.1, < 1.5.8 | 1.5.8 | Apr 22, 2021 | HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1. | ||
| CVE-2021-3024 | — | < 1.5.7 | 1.5.7 | Feb 1, 2021 | HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. | ||
| CVE-2020-25594 | — | < 1.5.7 | 1.5.7 | Feb 1, 2021 | HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. | ||
| CVE-2021-3282 | — | >= 1.6.0, < 1.6.1 | 1.6.1 | Feb 1, 2021 | HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2. |
- CVE-2023-24999Mar 10, 2023affected < 1.10.11fixed 1.10.11
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.1
- CVE-2022-41316Oct 12, 2022affected < 1.9.10fixed 1.9.10
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.
- CVE-2022-40186Sep 22, 2022affected >= 1.8.0, < 1.9.9fixed 1.9.9
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an i
- CVE-2022-36129Jul 26, 2022affected >= 1.7.0, < 1.9.8fixed 1.9.8
HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastr
- CVE-2022-30689May 17, 2022affected >= 1.10.0, < 1.10.3fixed 1.10.3
HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. F
- CVE-2022-25243Mar 7, 2022affected >= 1.8.0, < 1.8.9fixed 1.8.9
"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault
- CVE-2022-25244Mar 7, 2022affected >= 1.7.0, < 1.7.10fixed 1.7.10
Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10.
- CVE-2021-45042Dec 17, 2021affected >= 1.4.0, < 1.7.7fixed 1.7.7
In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage back
- CVE-2021-43998Nov 30, 2021affected >= 0.11.0, < 1.7.6fixed 1.7.6
HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed i
- CVE-2021-42135Oct 11, 2021affected >= 1.8.0, < 1.8.5fixed 1.8.5
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset
- CVE-2021-41802Oct 8, 2021affected < 1.7.5fixed 1.7.5
HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.
- CVE-2021-27668Aug 31, 2021affected >= 0.9.2, < 1.6.3fixed 1.6.3
HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.
- CVE-2021-38553Aug 13, 2021affected >= 1.4.0, < 1.8.0fixed 1.8.0
HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.
- CVE-2021-38554Aug 13, 2021affected < 1.8.0fixed 1.8.0
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
- CVE-2021-32923Jun 3, 2021affected >= 0.10.0, < 1.5.9fixed 1.5.9
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5,
- CVE-2021-27400Apr 22, 2021affected < 1.6.4fixed 1.6.4
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1
- CVE-2021-29653Apr 22, 2021affected >= 1.5.1, < 1.5.8fixed 1.5.8
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.
- CVE-2021-3024Feb 1, 2021affected < 1.5.7fixed 1.5.7
HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
- CVE-2020-25594Feb 1, 2021affected < 1.5.7fixed 1.5.7
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
- CVE-2021-3282Feb 1, 2021affected >= 1.6.0, < 1.6.1fixed 1.6.1
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.
Page 3 of 4