Filtered by vendor Hashicorp
Subscriptions
Total
152 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2017-16001 | 1 Hashicorp | 1 Vagrant | 2024-11-21 | N/A |
In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.1, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. | ||||
CVE-2017-15884 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2024-11-21 | N/A |
In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.0, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. | ||||
CVE-2017-12579 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2024-11-21 | N/A |
An insecure suid wrapper binary in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 4.0.24 and earlier allows a non-root user to obtain a root shell. | ||||
CVE-2017-11741 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2024-11-21 | N/A |
HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo helper scripts, allows local users to execute arbitrary code with root privileges by overwriting one of the scripts. | ||||
CVE-2024-9180 | 1 Hashicorp | 1 Vault | 2024-11-08 | 7.2 High |
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16. | ||||
CVE-2024-10006 | 1 Hashicorp | 1 Consul | 2024-11-08 | 8.3 High |
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. | ||||
CVE-2024-10005 | 1 Hashicorp | 1 Consul | 2024-11-08 | 8.1 High |
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. | ||||
CVE-2024-10086 | 1 Hashicorp | 1 Consul | 2024-11-08 | 6.1 Medium |
A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS. | ||||
CVE-2024-10228 | 1 Hashicorp | 1 Vagrant Vmware Utility | 2024-11-07 | 3.8 Low |
The Vagrant VMWare Utility Windows installer targeted a custom location with a non-protected path that could be modified by an unprivileged user, introducing potential for unauthorized file system writes. This vulnerability, CVE-2024-10228, was fixed in Vagrant VMWare Utility 1.0.23 | ||||
CVE-2024-8185 | 1 Hashicorp | 1 Vault | 2024-11-01 | 7.5 High |
Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself. This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12. | ||||
CVE-2024-7594 | 1 Hashicorp | 2 Vault Community Edition, Vault Enterprise | 2024-09-30 | 7.5 High |
Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15. | ||||
CVE-2024-8365 | 1 Hashicorp | 1 Vault | 2024-09-04 | 6.2 Medium |
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9. |