VYPR

Vendor CVEs

Hashicorp

All CVEs

155 total · sorted by risk
  • CVE-2023-0821Feb 16, 2023
    risk 0.00cvss epss 0.01

    HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.

  • CVE-2023-0475Feb 16, 2023
    risk 0.00cvss epss 0.00

    HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

  • CVE-2023-0690Feb 8, 2023
    risk 0.00cvss epss 0.00

    HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This…

  • CVE-2019-14802Dec 26, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template.

  • CVE-2022-47581Dec 21, 2022
    risk 0.00cvss epss 0.01

    Isode M-Vault 16.0v0 through 17.x before 17.0v24 can crash upon an LDAP v1 bind request.

  • CVE-2022-3920Nov 15, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.

  • CVE-2022-3867Nov 10, 2022
    risk 0.00cvss epss 0.00

    HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2.

  • CVE-2022-3866Nov 10, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.

  • CVE-2022-36182Oct 27, 2022
    risk 0.00cvss epss 0.01

    Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site.

  • CVE-2022-41316Oct 12, 2022
    risk 0.00cvss epss 0.00

    HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0,…

  • CVE-2022-41606Oct 11, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.

  • CVE-2022-42717Oct 11, 2022
    risk 0.00cvss epss 0.00

    An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation, non-privileged users on the host can leverage a wildcard in the sudoers…

  • CVE-2021-41803Sep 23, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."

  • CVE-2022-40716Sep 23, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."

  • CVE-2022-40186Sep 22, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an…

  • CVE-2022-36130Sep 1, 2022
    risk 0.00cvss epss 0.00

    HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct scopes, allowing potential privilege escalation for authorized users of another scope. Fixed in Boundary 0.10.2.

  • CVE-2022-38149Aug 17, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Consul Template up to 0.27.2, 0.28.2, and 0.29.1 may expose the contents of Vault secrets in the error returned by the *template.Template.Execute method, when given a template using Vault secret contents incorrectly. Fixed in 0.27.3, 0.28.3, and 0.29.2.

  • CVE-2022-36129Jul 26, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or…

  • CVE-2022-30324May 27, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host. Fixed in 1.1.14, 1.2.8, and 1.3.1.

  • CVE-2022-30689May 17, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set.…

  • CVE-2022-25243Mar 7, 2022
    risk 0.00cvss epss 0.01

    "Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in…

  • CVE-2022-25244Mar 7, 2022
    risk 0.00cvss epss 0.01

    Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10.

  • CVE-2022-24685Feb 28, 2022
    risk 0.00cvss epss 0.02

    HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6.

  • CVE-2022-25374Feb 25, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1.

  • CVE-2022-24687Feb 24, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service that can cause Consul servers to panic. Fixed in 1.9.15, 1.10.8, and 1.11.3.

  • CVE-2022-24683Feb 17, 2022
    risk 0.00cvss epss 0.02

    HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root.

  • CVE-2022-24684Feb 15, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6.

  • CVE-2022-24686Feb 14, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6

  • CVE-2021-45042Dec 17, 2021
    risk 0.00cvss epss 0.01

    In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage…

  • CVE-2021-41805Dec 12, 2021
    risk 0.00cvss epss 0.35

    HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.

  • CVE-2021-44677Dec 6, 2021
    risk 0.00cvss epss 0.02

    An issue (1 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited…

  • CVE-2021-44678Dec 6, 2021
    risk 0.00cvss epss 0.02

    An issue (2 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited…

  • CVE-2021-44679Dec 6, 2021
    risk 0.00cvss epss 0.02

    An issue (3 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited…

  • CVE-2021-44680Dec 6, 2021
    risk 0.00cvss epss 0.02

    An issue (4 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited…

  • CVE-2021-44681Dec 6, 2021
    risk 0.00cvss epss 0.02

    An issue (5 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited…

  • CVE-2021-44682Dec 6, 2021
    risk 0.00cvss epss 0.02

    An issue (6 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited…

  • CVE-2021-41865Oct 7, 2021
    risk 0.00cvss epss 0.01

    HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. Fixed in 1.1.6.

  • CVE-2021-40862Sep 15, 2021
    risk 0.00cvss epss 0.01

    HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1.

  • CVE-2021-27668Aug 31, 2021
    risk 0.00cvss epss 0.01

    HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.

  • CVE-2021-36230Jul 20, 2021
    risk 0.00cvss epss 0.01

    HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token, allowing privilege escalation to organization owner. Fixed in v202107-1.

  • CVE-2021-27400Apr 22, 2021
    risk 0.00cvss epss 0.01

    HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1

  • CVE-2021-29653Apr 22, 2021
    risk 0.00cvss epss 0.01

    HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.

  • CVE-2021-30476Apr 22, 2021
    risk 0.00cvss epss 0.02

    HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.

  • CVE-2021-28156Apr 20, 2021
    risk 0.00cvss epss 0.02

    HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10.

  • CVE-2021-3153Mar 26, 2021
    risk 0.00cvss epss 0.01

    HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Fixed in v202103-1.

  • CVE-2021-3024Feb 1, 2021
    risk 0.00cvss epss 0.01

    HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.

  • CVE-2020-25594Feb 1, 2021
    risk 0.00cvss epss 0.01

    HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.

  • CVE-2020-36164Jan 6, 2021
    risk 0.00cvss epss 0.00

    An issue was discovered in Veritas Enterprise Vault through 14.0. On start-up, it loads the OpenSSL library. The OpenSSL library then attempts to load the openssl.cnf configuration file (which does not exist) at the following locations in both the System drive (typically C:\)…

  • CVE-2020-35453Dec 17, 2020
    risk 0.00cvss epss 0.01

    HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.

  • CVE-2020-15511Jul 30, 2020
    risk 0.00cvss epss 0.01

    HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when disabled, bypassing SAML enforcement. Fixed in v202007-1.