Filtered by vendor Hashicorp
Subscribe
Total
150 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41802 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.5 MEDIUM | 2.9 LOW |
| HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4. | |||||
| CVE-2021-40862 | 1 Hashicorp | 1 Terraform Enterprise | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1. | |||||
| CVE-2021-3283 | 1 Hashicorp | 1 Nomad | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. Fixed in 0.12.10, and 1.0.3. | |||||
| CVE-2021-3282 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2. | |||||
| CVE-2021-3153 | 1 Hashicorp | 1 Terraform Enterprise | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Fixed in v202103-1. | |||||
| CVE-2021-3121 | 2 Golang, Hashicorp | 2 Protobuf, Consul | 2024-11-21 | 7.5 HIGH | 8.6 HIGH |
| An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. | |||||
| CVE-2021-3024 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. | |||||
| CVE-2021-38698 | 1 Hashicorp | 1 Consul | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2. | |||||
| CVE-2021-38554 | 1 Hashicorp | 1 Vault | 2024-11-21 | 3.5 LOW | 5.3 MEDIUM |
| HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. | |||||
| CVE-2021-38553 | 1 Hashicorp | 1 Vault | 2024-11-21 | 2.1 LOW | 4.4 MEDIUM |
| HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0. | |||||
| CVE-2021-37219 | 1 Hashicorp | 1 Consul | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. | |||||
| CVE-2021-37218 | 1 Hashicorp | 1 Nomad | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.0.10 and 1.1.4. | |||||
| CVE-2021-36230 | 1 Hashicorp | 1 Terraform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token, allowing privilege escalation to organization owner. Fixed in v202107-1. | |||||
| CVE-2021-36213 | 1 Hashicorp | 1 Consul | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1. | |||||
| CVE-2021-32923 | 1 Hashicorp | 1 Vault | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
| HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. | |||||
| CVE-2021-32575 | 1 Hashicorp | 1 Nomad | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1. | |||||
| CVE-2021-32574 | 1 Hashicorp | 1 Consul | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1. | |||||
| CVE-2021-32074 | 1 Hashicorp | 1 Vault-action | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking. | |||||
| CVE-2021-30476 | 1 Hashicorp | 1 Terraform Provider | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1. | |||||
| CVE-2021-29653 | 1 Hashicorp | 1 Vault | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1. | |||||