Filtered by vendor Hashicorp Subscriptions
Total 152 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-13223 1 Hashicorp 1 Vault 2024-08-04 7.5 High
HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.
CVE-2020-13250 1 Hashicorp 1 Consul 2024-08-04 7.5 High
HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4.
CVE-2020-13170 1 Hashicorp 1 Consul 2024-08-04 7.5 High
HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.
CVE-2020-12797 1 Hashicorp 1 Consul 2024-08-04 5.3 Medium
HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.
CVE-2020-12758 1 Hashicorp 1 Consul 2024-08-04 7.5 High
HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Introduced in 1.6.0, fixed in 1.6.6 and 1.7.4.
CVE-2020-12757 1 Hashicorp 1 Vault 2024-08-04 9.8 Critical
HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.
CVE-2020-10944 1 Hashicorp 1 Nomad 2024-08-04 5.4 Medium
HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contained a cross-site scripting vulnerability such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. Fixed in 0.10.5.
CVE-2020-10660 1 Hashicorp 1 Vault 2024-08-04 5.3 Medium
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
CVE-2020-10661 1 Hashicorp 1 Vault 2024-08-04 9.1 Critical
HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.
CVE-2020-7956 1 Hashicorp 1 Nomad 2024-08-04 9.8 Critical
HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3.
CVE-2020-7955 1 Hashicorp 1 Consul 2024-08-04 5.3 Medium
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
CVE-2020-7218 1 Hashicorp 1 Nomad 2024-08-04 7.5 High
HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 0.10.3.
CVE-2020-7219 1 Hashicorp 1 Consul 2024-08-04 7.5 High
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
CVE-2020-7220 1 Hashicorp 1 Vault 2024-08-04 7.5 High
HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.
CVE-2021-45042 1 Hashicorp 1 Vault 2024-08-04 4.9 Medium
In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0.
CVE-2021-44139 1 Hashicorp 1 Sentinel 2024-08-04 7.5 High
Sentinel 1.8.2 is vulnerable to Server-side request forgery (SSRF).
CVE-2021-43998 2 Hashicorp, Redhat 3 Vault, Openshift, Openshift Data Foundation 2024-08-04 6.5 Medium
HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.
CVE-2021-43415 1 Hashicorp 1 Nomad 2024-08-04 8.8 High
HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.
CVE-2021-42135 1 Hashicorp 1 Vault 2024-08-04 8.1 High
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.
CVE-2021-41865 1 Hashicorp 1 Nomad 2024-08-04 6.5 Medium
HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. Fixed in 1.1.6.