VYPR
Vendor

Hashicorp

Products
20
CVEs
155
Across products
229
Status
Private

Products

20

Recent CVEs

155
View all 155 CVEs →
  • CVE-2017-11741HigAug 8, 2017
    risk 0.60cvss 8.8epss 0.01

    HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo helper scripts, allows local users to execute arbitrary code with root privileges by overwriting one of the scripts.

  • CVE-2017-16777HigNov 16, 2017
    risk 0.54cvss 7.8epss 0.01

    If HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.3 is installed but VMware Fusion is not, a local attacker can create a fake application directory and exploit the suid sudo helper in order to escalate to root.

  • CVE-2017-16001HigNov 6, 2017
    risk 0.54cvss 7.8epss 0.01

    In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.1, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges.

  • CVE-2017-12579HigOct 19, 2017
    risk 0.54cvss 7.8epss 0.01

    An insecure suid wrapper binary in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 4.0.24 and earlier allows a non-root user to obtain a root shell.

  • CVE-2017-7642HigAug 2, 2017
    risk 0.54cvss 7.8epss 0.01

    The sudo helper in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.21 allows local users to gain root privileges by leveraging failure to verify the path to the encoded ruby script or scrub the PATH variable.

  • CVE-2026-7474HigMay 12, 2026
    risk 0.51cvss 8.8epss 0.07

    HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

  • CVE-2017-16873HigMar 29, 2018
    risk 0.51cvss 7.8epss 0.00

    It is possible to exploit an unsanitized PATH in the suid binary that ships with vagrant-vmware-fusion 4.0.25 through 5.0.4 in order to escalate to root privileges.

  • CVE-2017-16512HigMar 29, 2018
    risk 0.51cvss 7.8epss 0.00

    The vagrant update process in Hashicorp vagrant-vmware-fusion 5.0.2 through 5.0.4 allows local users to steal root privileges via a crafted update request when no updates are available.

  • CVE-2017-15884HigOct 31, 2017
    risk 0.49cvss 7.0epss 0.01

    In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.0, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges.

  • CVE-2026-3605HigApr 17, 2026
    risk 0.46cvss 8.1epss 0.00

    An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor…

  • CVE-2017-16839HigMar 29, 2018
    risk 0.46cvss 7.0epss 0.00

    Hashicorp vagrant-vmware-fusion 5.0.4 allows local users to steal root privileges if VMware Fusion is not installed.

  • CVE-2026-5807HigApr 17, 2026
    risk 0.42cvss 7.5epss 0.00

    Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these…

  • CVE-2026-4525HigApr 17, 2026
    risk 0.42cvss 7.5epss 0.00

    If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

  • CVE-2024-52941MedNov 18, 2024
    risk 0.35cvss 5.4epss 0.00

    An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24695. It allows an authenticated remote attacker to inject a parameter into an HTTP request, allowing for Cross-Site Scripting (XSS) while viewing archived content. This could reflect back to an…

  • CVE-2026-8052MedMay 12, 2026
    risk 0.32cvss 6.0epss 0.00

    HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver.

  • CVE-2026-6959MedMay 12, 2026
    risk 0.32cvss 6.0epss 0.00

    HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

  • CVE-2026-5052MedApr 17, 2026
    risk 0.27cvss 5.3epss 0.00

    Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and…

  • CVE-2026-5061MedMay 12, 2026
    risk 0.24cvss 4.7epss 0.00

    The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0.

  • CVE-2022-29153Apr 19, 2022
    risk 0.07cvss epss 0.09

    HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.

  • CVE-2026-2808Mar 11, 2026
    risk 0.00cvss epss 0.00

    HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.