Filtered by vendor Hashicorp Subscriptions
Total 152 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2021-3282 1 Hashicorp 1 Vault 2024-08-03 7.5 High
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.
CVE-2021-3283 1 Hashicorp 1 Nomad 2024-08-03 7.5 High
HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. Fixed in 0.12.10, and 1.0.3.
CVE-2021-3153 1 Hashicorp 1 Terraform Enterprise 2024-08-03 6.5 Medium
HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Fixed in v202103-1.
CVE-2021-3121 3 Golang, Hashicorp, Redhat 9 Protobuf, Consul, Acm and 6 more 2024-08-03 8.6 High
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
CVE-2021-3024 1 Hashicorp 1 Vault 2024-08-03 5.3 Medium
HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
CVE-2022-42717 2 Hashicorp, Linux 2 Vagrant, Linux Kernel 2024-08-03 7.8 High
An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation, non-privileged users on the host can leverage a wildcard in the sudoers configuration to execute arbitrary commands as root.
CVE-2022-41606 1 Hashicorp 1 Nomad 2024-08-03 6.5 Medium
HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.
CVE-2022-41316 2 Hashicorp, Redhat 3 Vault, Openshift, Openshift Data Foundation 2024-08-03 5.3 Medium
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
CVE-2022-40716 1 Hashicorp 1 Consul 2024-08-03 6.5 Medium
HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."
CVE-2022-40186 2 Hashicorp, Redhat 2 Vault, Openshift Data Foundation 2024-08-03 9.1 Critical
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.
CVE-2022-38149 2 Hashicorp, Redhat 2 Consul Template, Openshift Data Foundation 2024-08-03 7.5 High
HashiCorp Consul Template up to 0.27.2, 0.28.2, and 0.29.1 may expose the contents of Vault secrets in the error returned by the *template.Template.Execute method, when given a template using Vault secret contents incorrectly. Fixed in 0.27.3, 0.28.3, and 0.29.2.
CVE-2022-36182 1 Hashicorp 1 Boundary 2024-08-03 6.1 Medium
Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site.
CVE-2022-36130 1 Hashicorp 1 Boundary 2024-08-03 9.9 Critical
HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct scopes, allowing potential privilege escalation for authorized users of another scope. Fixed in Boundary 0.10.2.
CVE-2022-36129 1 Hashicorp 1 Vault 2024-08-03 9.1 Critical
HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. Fixed in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1.
CVE-2022-30689 1 Hashicorp 1 Vault 2024-08-03 5.3 Medium
HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. Fixed in 1.10.3.
CVE-2022-30324 1 Hashicorp 1 Nomad 2024-08-03 9.8 Critical
HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host. Fixed in 1.1.14, 1.2.8, and 1.3.1.
CVE-2022-30321 2 Hashicorp, Redhat 3 Go-getter, Openshift, Openstack 2024-08-03 8.6 High
go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30322 2 Hashicorp, Redhat 3 Go-getter, Openshift, Openstack 2024-08-03 8.6 High
go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30323 2 Hashicorp, Redhat 3 Go-getter, Openshift, Openstack 2024-08-03 8.6 High
go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.
CVE-2022-29810 2 Hashicorp, Redhat 4 Go-getter, Acm, Openshift and 1 more 2024-08-03 5.5 Medium
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.