Bitnami package
vault
pkg:bitnami/vault
Vulnerabilities (71)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-35453 | — | >= 1.5.0, < 1.5.6 | 1.5.6 | Dec 17, 2020 | HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1. | ||
| CVE-2020-35177 | — | >= 1.5.0, < 1.5.6 | 1.5.6 | Dec 17, 2020 | HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1. | ||
| CVE-2020-35192 | — | >= 0.6.0, < 0.11.6 | 0.11.6 | Dec 17, 2020 | The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | ||
| CVE-2020-25816 | — | >= 1.0.0, < 1.4.7 | 1.4.7 | Sep 30, 2020 | HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4. | ||
| CVE-2020-16251 | — | >= 0.8.3, < 1.2.5 | 1.2.5 | Aug 26, 2020 | HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1. | ||
| CVE-2020-16250 | — | >= 0.7.1, < 1.2.5 | 1.2.5 | Aug 26, 2020 | HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.. | ||
| CVE-2020-12757 | — | >= 1.4.0, < 1.4.2 | 1.4.2 | Jun 10, 2020 | HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being vali | ||
| CVE-2020-13223 | — | < 1.3.6 | 1.3.6 | Jun 10, 2020 | HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2. | ||
| CVE-2020-10661 | — | >= 0.11.0, < 1.3.4 | 1.3.4 | Mar 23, 2020 | HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4. | ||
| CVE-2020-10660 | — | >= 0.9.0, < 1.3.4 | 1.3.4 | Mar 23, 2020 | HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4. | ||
| CVE-2020-7220 | — | >= 0.11.0, < 1.3.2 | 1.3.2 | Jan 23, 2020 | HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2. |
- CVE-2020-35453Dec 17, 2020affected >= 1.5.0, < 1.5.6fixed 1.5.6
HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.
- CVE-2020-35177Dec 17, 2020affected >= 1.5.0, < 1.5.6fixed 1.5.6
HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.
- CVE-2020-35192Dec 17, 2020affected >= 0.6.0, < 0.11.6fixed 0.11.6
The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
- CVE-2020-25816Sep 30, 2020affected >= 1.0.0, < 1.4.7fixed 1.4.7
HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4.
- CVE-2020-16251Aug 26, 2020affected >= 0.8.3, < 1.2.5fixed 1.2.5
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.
- CVE-2020-16250Aug 26, 2020affected >= 0.7.1, < 1.2.5fixed 1.2.5
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
- CVE-2020-12757Jun 10, 2020affected >= 1.4.0, < 1.4.2fixed 1.4.2
HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being vali
- CVE-2020-13223Jun 10, 2020affected < 1.3.6fixed 1.3.6
HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.
- CVE-2020-10661Mar 23, 2020affected >= 0.11.0, < 1.3.4fixed 1.3.4
HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.
- CVE-2020-10660Mar 23, 2020affected >= 0.9.0, < 1.3.4fixed 1.3.4
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
- CVE-2020-7220Jan 23, 2020affected >= 0.11.0, < 1.3.2fixed 1.3.2
HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.
Page 4 of 4