Filtered by vendor Hashicorp
Subscriptions
Total
152 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2019-12618 | 1 Hashicorp | 1 Nomad | 2024-08-04 | N/A |
HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver. | ||||
CVE-2019-12291 | 1 Hashicorp | 1 Consul | 2024-08-04 | N/A |
HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured. | ||||
CVE-2019-9764 | 1 Hashicorp | 1 Consul | 2024-08-04 | N/A |
HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set to true. This is fixed in 1.4.4. | ||||
CVE-2019-8336 | 1 Hashicorp | 1 Consul | 2024-08-04 | N/A |
HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "<hidden>" as its secret is used in unusual circumstances. | ||||
CVE-2020-35453 | 1 Hashicorp | 1 Vault | 2024-08-04 | 5.3 Medium |
HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1. | ||||
CVE-2020-35192 | 1 Hashicorp | 1 Vault | 2024-08-04 | 9.8 Critical |
The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | ||||
CVE-2020-35177 | 1 Hashicorp | 1 Vault | 2024-08-04 | 5.3 Medium |
HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1. | ||||
CVE-2020-29564 | 1 Hashicorp | 1 Consul Docker Image | 2024-08-04 | 9.8 Critical |
The official Consul Docker images 0.7.1 through 1.4.2 contain a blank password for a root user. System using the Consul Docker container deployed by affected versions of the Docker image may allow a remote attacker to achieve root access with a blank password. | ||||
CVE-2020-29529 | 2 Hashicorp, Redhat | 2 Go-slug, Acm | 2024-08-04 | 7.5 High |
HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0. | ||||
CVE-2020-28348 | 1 Hashicorp | 1 Nomad | 2024-08-04 | 6.5 Medium |
HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Fixed in 0.12.8, 0.11.7, and 0.10.8. | ||||
CVE-2020-28053 | 1 Hashicorp | 1 Consul | 2024-08-04 | 6.5 Medium |
HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6. | ||||
CVE-2020-27195 | 1 Hashicorp | 1 Nomad | 2024-08-04 | 9.1 Critical |
HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Fixed in 0.12.6, 0.11.5, and 0.10.6 | ||||
CVE-2020-25864 | 1 Hashicorp | 1 Consul | 2024-08-04 | 6.1 Medium |
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. | ||||
CVE-2020-25816 | 1 Hashicorp | 1 Vault | 2024-08-04 | 6.8 Medium |
HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4. | ||||
CVE-2020-25594 | 1 Hashicorp | 1 Vault | 2024-08-04 | 5.3 Medium |
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. | ||||
CVE-2020-25201 | 1 Hashicorp | 1 Consul | 2024-08-04 | 7.5 High |
HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5. | ||||
CVE-2020-24359 | 1 Hashicorp | 1 Vault-ssh-helper | 2024-08-04 | 7.5 High |
HashiCorp vault-ssh-helper up to and including version 0.1.6 incorrectly accepted Vault-issued SSH OTPs for the subnet in which a host's network interface was located, rather than the specific IP address assigned to that interface. Fixed in 0.2.0. | ||||
CVE-2020-16250 | 2 Hashicorp, Redhat | 3 Vault, Openshift, Openshift Data Foundation | 2024-08-04 | 8.2 High |
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.. | ||||
CVE-2020-16251 | 2 Hashicorp, Redhat | 3 Vault, Openshift, Openshift Data Foundation | 2024-08-04 | 8.2 High |
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1. | ||||
CVE-2020-15511 | 1 Hashicorp | 1 Terraform Enterprise | 2024-08-04 | 5.3 Medium |
HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when disabled, bypassing SAML enforcement. Fixed in v202007-1. |