Filtered by vendor Hashicorp
Subscriptions
Filtered by product Vault
Subscriptions
Total
48 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2021-45042 | 1 Hashicorp | 1 Vault | 2024-11-21 | 4.9 Medium |
In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0. | ||||
CVE-2021-43998 | 2 Hashicorp, Redhat | 3 Vault, Openshift, Openshift Data Foundation | 2024-11-21 | 6.5 Medium |
HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0. | ||||
CVE-2021-42135 | 1 Hashicorp | 1 Vault | 2024-11-21 | 8.1 High |
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials. | ||||
CVE-2021-41802 | 1 Hashicorp | 1 Vault | 2024-11-21 | 2.9 Low |
HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4. | ||||
CVE-2021-3282 | 1 Hashicorp | 1 Vault | 2024-11-21 | 7.5 High |
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2. | ||||
CVE-2021-3024 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.3 Medium |
HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. | ||||
CVE-2021-38554 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.3 Medium |
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. | ||||
CVE-2021-38553 | 1 Hashicorp | 1 Vault | 2024-11-21 | 4.4 Medium |
HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0. | ||||
CVE-2021-32923 | 1 Hashicorp | 1 Vault | 2024-11-21 | 7.4 High |
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. | ||||
CVE-2021-29653 | 1 Hashicorp | 1 Vault | 2024-11-21 | 7.5 High |
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1. | ||||
CVE-2021-27668 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.3 Medium |
HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3. | ||||
CVE-2021-27400 | 1 Hashicorp | 1 Vault | 2024-11-21 | 7.5 High |
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1 | ||||
CVE-2020-7220 | 1 Hashicorp | 1 Vault | 2024-11-21 | 7.5 High |
HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2. | ||||
CVE-2020-35453 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.3 Medium |
HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1. | ||||
CVE-2020-35192 | 1 Hashicorp | 1 Vault | 2024-11-21 | 9.8 Critical |
The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | ||||
CVE-2020-35177 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.3 Medium |
HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1. | ||||
CVE-2020-25816 | 1 Hashicorp | 1 Vault | 2024-11-21 | 6.8 Medium |
HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4. | ||||
CVE-2020-25594 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.3 Medium |
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. | ||||
CVE-2020-16251 | 2 Hashicorp, Redhat | 3 Vault, Openshift, Openshift Data Foundation | 2024-11-21 | 8.2 High |
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1. | ||||
CVE-2020-16250 | 2 Hashicorp, Redhat | 3 Vault, Openshift, Openshift Data Foundation | 2024-11-21 | 8.2 High |
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.. |