Filtered by vendor Hashicorp Subscriptions
Total 152 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-29153 2 Fedoraproject, Hashicorp 2 Fedora, Consul 2024-08-03 7.5 High
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
CVE-2022-26945 2 Hashicorp, Redhat 3 Go-getter, Openshift, Openstack 2024-08-03 9.8 Critical
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
CVE-2022-25374 1 Hashicorp 1 Terraform Enterprise 2024-08-03 7.5 High
HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1.
CVE-2022-25244 1 Hashicorp 1 Vault 2024-08-03 6.5 Medium
Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10.
CVE-2022-25243 1 Hashicorp 1 Vault 2024-08-03 6.5 Medium
"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4.
CVE-2022-24683 1 Hashicorp 1 Nomad 2024-08-03 7.5 High
HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root.
CVE-2022-24685 1 Hashicorp 1 Nomad 2024-08-03 7.5 High
HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6.
CVE-2022-24687 1 Hashicorp 1 Consul 2024-08-03 6.5 Medium
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service that can cause Consul servers to panic. Fixed in 1.9.15, 1.10.8, and 1.11.3.
CVE-2022-24686 1 Hashicorp 1 Nomad 2024-08-03 5.9 Medium
HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6
CVE-2022-24684 1 Hashicorp 1 Nomad 2024-08-03 6.5 Medium
HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6.
CVE-2022-3920 1 Hashicorp 1 Consul 2024-08-03 5.3 Medium
HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.
CVE-2022-3867 1 Hashicorp 1 Nomad 2024-08-03 2.7 Low
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2.
CVE-2022-3866 1 Hashicorp 1 Nomad 2024-08-03 5 Medium
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.
CVE-2023-24999 2 Hashicorp, Redhat 2 Vault, Openshift Data Foundation 2024-08-02 4.4 Medium
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.
CVE-2023-25000 2 Hashicorp, Redhat 3 Vault, Openshift, Openshift Data Foundation 2024-08-02 5 Medium
HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.
CVE-2023-6337 1 Hashicorp 1 Vault 2024-08-02 7.5 High
HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash. Fixed in Vault 1.15.4, 1.14.8, 1.13.12.
CVE-2023-5954 2 Hashicorp, Redhat 3 Vault, Openshift, Openshift Data Foundation 2024-08-02 5.9 Medium
HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.
CVE-2023-2197 1 Hashicorp 1 Vault 2024-08-02 2.5 Low
HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. Fixed in 1.13.2
CVE-2023-2121 2 Hashicorp, Redhat 2 Vault, Openshift Data Foundation 2024-08-02 4.3 Medium
Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.
CVE-2023-1782 1 Hashicorp 1 Nomad 2024-08-02 10 Critical
HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.