Go modules package
github.com/hashicorp/vault
pkg:golang/github.com/hashicorp/vault
Vulnerabilities (55)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-43998 | — | >= 0.11.0, < 1.7.6 | 1.7.6 | Nov 30, 2021 | HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed i | ||
| CVE-2021-42135 | — | >= 1.8.0, <= 1.8.4 | — | Oct 11, 2021 | HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset | ||
| CVE-2021-41802 | — | < 1.7.5 | 1.7.5 | Oct 8, 2021 | HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8. | ||
| CVE-2021-38553 | — | >= 1.4.0, < 1.8.0 | 1.8.0 | Aug 13, 2021 | HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0. | ||
| CVE-2021-38554 | — | < 1.6.6 | 1.6.6 | Aug 13, 2021 | HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. | ||
| CVE-2021-32923 | — | >= 1.7.0, < 1.7.2 | 1.7.2 | Jun 3, 2021 | HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, | ||
| CVE-2021-3282 | — | >= 1.6.0, < 1.6.2 | 1.6.2 | Feb 1, 2021 | HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2. | ||
| CVE-2020-35177 | — | >= 1.5.0, < 1.5.6 | 1.5.6 | Dec 17, 2020 | HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1. | ||
| CVE-2020-25816 | — | >= 1.0.0-beta1, < 1.5.4 | 1.5.4 | Sep 30, 2020 | HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4. | ||
| CVE-2020-16251 | — | >= 0.8.3, < 1.2.5 | 1.2.5 | Aug 26, 2020 | HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1. | ||
| CVE-2020-16250 | — | >= 0.8.1, < 1.2.5 | 1.2.5 | Aug 26, 2020 | HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.. | ||
| CVE-2020-13223 | — | >= 1.3.0, < 1.3.6 | 1.3.6 | Jun 10, 2020 | HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2. | ||
| CVE-2020-10661 | — | >= 0.11.0, < 1.3.4 | 1.3.4 | Mar 23, 2020 | HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4. | ||
| CVE-2020-10660 | — | >= 0.9.0, < 1.3.4 | 1.3.4 | Mar 23, 2020 | HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4. | ||
| CVE-2020-7220 | — | >= 0.11.0, < 1.3.2 | 1.3.2 | Jan 23, 2020 | HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2. |
- CVE-2021-43998Nov 30, 2021affected >= 0.11.0, < 1.7.6fixed 1.7.6
HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed i
- CVE-2021-42135Oct 11, 2021affected >= 1.8.0, <= 1.8.4
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset
- CVE-2021-41802Oct 8, 2021affected < 1.7.5fixed 1.7.5
HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.
- CVE-2021-38553Aug 13, 2021affected >= 1.4.0, < 1.8.0fixed 1.8.0
HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.
- CVE-2021-38554Aug 13, 2021affected < 1.6.6fixed 1.6.6
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
- CVE-2021-32923Jun 3, 2021affected >= 1.7.0, < 1.7.2fixed 1.7.2
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5,
- CVE-2021-3282Feb 1, 2021affected >= 1.6.0, < 1.6.2fixed 1.6.2
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.
- CVE-2020-35177Dec 17, 2020affected >= 1.5.0, < 1.5.6fixed 1.5.6
HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.
- CVE-2020-25816Sep 30, 2020affected >= 1.0.0-beta1, < 1.5.4fixed 1.5.4
HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4.
- CVE-2020-16251Aug 26, 2020affected >= 0.8.3, < 1.2.5fixed 1.2.5
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.
- CVE-2020-16250Aug 26, 2020affected >= 0.8.1, < 1.2.5fixed 1.2.5
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
- CVE-2020-13223Jun 10, 2020affected >= 1.3.0, < 1.3.6fixed 1.3.6
HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.
- CVE-2020-10661Mar 23, 2020affected >= 0.11.0, < 1.3.4fixed 1.3.4
HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.
- CVE-2020-10660Mar 23, 2020affected >= 0.9.0, < 1.3.4fixed 1.3.4
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
- CVE-2020-7220Jan 23, 2020affected >= 0.11.0, < 1.3.2fixed 1.3.2
HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.
Page 3 of 3