VYPR

Go modules package

github.com/hashicorp/vault

pkg:golang/github.com/hashicorp/vault

Vulnerabilities (55)

  • CVE-2021-43998MedNov 30, 2021
    affected >= 0.11.0, < 1.7.6fixed 1.7.6

    HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed i

  • CVE-2021-42135HigOct 11, 2021
    affected >= 1.8.0, <= 1.8.4

    HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset

  • CVE-2021-41802LowOct 8, 2021
    affected < 1.7.5fixed 1.7.5

    HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.

  • CVE-2021-38554MedAug 13, 2021
    affected < 1.6.6fixed 1.6.6

    HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.

  • CVE-2021-38553MedAug 13, 2021
    affected >= 1.4.0, < 1.8.0fixed 1.8.0

    HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.

  • CVE-2021-32923HigJun 3, 2021
    affected >= 1.7.0, < 1.7.2fixed 1.7.2

    HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5,

  • CVE-2021-3282HigFeb 1, 2021
    affected >= 1.6.0, < 1.6.2fixed 1.6.2

    HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.

  • CVE-2020-35177MedDec 17, 2020
    affected >= 1.5.0, < 1.5.6fixed 1.5.6

    HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.

  • CVE-2020-25816MedSep 30, 2020
    affected >= 1.0.0-beta1, < 1.5.4fixed 1.5.4

    HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4.

  • CVE-2020-16251HigAug 26, 2020
    affected >= 0.8.3, < 1.2.5fixed 1.2.5

    HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.

  • CVE-2020-16250HigAug 26, 2020
    affected >= 0.8.1, < 1.2.5fixed 1.2.5

    HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..

  • CVE-2020-13223HigJun 10, 2020
    affected >= 1.3.0, < 1.3.6fixed 1.3.6

    HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.

  • CVE-2020-10661CriMar 23, 2020
    affected >= 0.11.0, < 1.3.4fixed 1.3.4

    HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.

  • CVE-2020-10660MedMar 23, 2020
    affected >= 0.9.0, < 1.3.4fixed 1.3.4

    HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.

  • CVE-2020-7220HigJan 23, 2020
    affected >= 0.11.0, < 1.3.2fixed 1.3.2

    HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.

Page 3 of 3