Filtered by vendor Hashicorp Subscriptions
Total 152 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-4782 1 Hashicorp 1 Terraform 2024-09-26 6.3 Medium
Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the `init` operation if run on maliciously crafted Terraform configuration. This vulnerability is fixed in Terraform 1.5.7.
CVE-2020-8567 3 Google, Hashicorp, Microsoft 3 Secret Manager Provider For Secret Store Csi Driver, Vault Provider For Secrets Store Csi Driver, Azure Key Vault Provider For Secrets Store Csi Driver 2024-09-16 4.9 Medium
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2023-5834 1 Hashicorp 1 Vagrant 2024-09-09 3.8 Low
HashiCorp Vagrant's Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Fixed in Vagrant 2.4.0.
CVE-2024-8365 1 Hashicorp 1 Vault 2024-09-04 6.2 Medium
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.
CVE-2017-16839 1 Hashicorp 1 Vagrant Vmware Fusion 2024-08-05 N/A
Hashicorp vagrant-vmware-fusion 5.0.4 allows local users to steal root privileges if VMware Fusion is not installed.
CVE-2017-16873 1 Hashicorp 1 Vagrant Vmware Fusion 2024-08-05 N/A
It is possible to exploit an unsanitized PATH in the suid binary that ships with vagrant-vmware-fusion 4.0.25 through 5.0.4 in order to escalate to root privileges.
CVE-2017-16777 1 Hashicorp 1 Vagrant 2024-08-05 N/A
If HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.3 is installed but VMware Fusion is not, a local attacker can create a fake application directory and exploit the suid sudo helper in order to escalate to root.
CVE-2017-16512 1 Hashicorp 1 Vagrant Vmware Fusion 2024-08-05 N/A
The vagrant update process in Hashicorp vagrant-vmware-fusion 5.0.2 through 5.0.4 allows local users to steal root privileges via a crafted update request when no updates are available.
CVE-2017-16001 1 Hashicorp 1 Vagrant 2024-08-05 N/A
In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.1, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges.
CVE-2017-15884 1 Hashicorp 1 Vagrant Vmware Fusion 2024-08-05 N/A
In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.0, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges.
CVE-2017-12579 1 Hashicorp 1 Vagrant Vmware Fusion 2024-08-05 N/A
An insecure suid wrapper binary in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 4.0.24 and earlier allows a non-root user to obtain a root shell.
CVE-2017-11741 1 Hashicorp 1 Vagrant Vmware Fusion 2024-08-05 N/A
HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo helper scripts, allows local users to execute arbitrary code with root privileges by overwriting one of the scripts.
CVE-2017-7642 1 Hashicorp 1 Vagrant Vmware Fusion 2024-08-05 N/A
The sudo helper in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.21 allows local users to gain root privileges by leveraging failure to verify the path to the encoded ruby script or scrub the PATH variable.
CVE-2018-19786 1 Hashicorp 1 Vault 2024-08-05 7.3 High
HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being reported.
CVE-2018-19653 1 Hashicorp 1 Consul 2024-08-05 N/A
HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.
CVE-2018-15869 1 Hashicorp 1 Packer 2024-08-05 N/A
An Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, may unintentionally load an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog.
CVE-2018-9057 1 Hashicorp 1 Terraform 2024-08-05 N/A
aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password.
CVE-2019-19879 1 Hashicorp 1 Sentinel 2024-08-05 7.5 High
HashiCorp Sentinel up to 0.10.1 incorrectly parsed negation in certain policy expressions. Fixed in 0.10.2.
CVE-2019-19316 1 Hashicorp 1 Terraform 2024-08-05 7.5 High
When using the Azure backend with a shared access signature (SAS), Terraform versions prior to 0.12.17 may transmit the token and state snapshot using cleartext HTTP.
CVE-2019-14802 1 Hashicorp 1 Nomad 2024-08-05 5.3 Medium
HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template.