Filtered by vendor Hashicorp
Subscribe
Search
Total
16 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-36129 | 1 Hashicorp | 1 Vault | 2023-08-08 | N/A | 9.1 CRITICAL |
| HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. Fixed in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1. | |||||
| CVE-2022-26945 | 1 Hashicorp | 1 Go-getter | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0. | |||||
| CVE-2022-30324 | 1 Hashicorp | 1 Nomad | 2022-06-10 | 7.5 HIGH | 9.8 CRITICAL |
| HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host. Fixed in 1.1.14, 1.2.8, and 1.3.1. | |||||
| CVE-2022-30322 | 1 Hashicorp | 1 Go-getter | 2022-06-07 | 7.5 HIGH | 9.8 CRITICAL |
| HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 2 of 3). | |||||
| CVE-2022-30323 | 1 Hashicorp | 1 Go-getter | 2022-06-07 | 7.5 HIGH | 9.8 CRITICAL |
| HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 3 of 3). | |||||
| CVE-2020-16250 | 1 Hashicorp | 1 Vault | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.. | |||||
| CVE-2021-30476 | 1 Hashicorp | 1 Terraform Provider | 2021-04-29 | 7.5 HIGH | 9.8 CRITICAL |
| HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1. | |||||
| CVE-2020-29564 | 1 Hashicorp | 1 Consul Docker Image | 2020-12-22 | 10.0 HIGH | 9.8 CRITICAL |
| The official Consul Docker images 0.7.1 through 1.4.2 contain a blank password for a root user. System using the Consul Docker container deployed by affected versions of the Docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-35192 | 1 Hashicorp | 1 Vault | 2020-12-18 | 10.0 HIGH | 9.8 CRITICAL |
| The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-27195 | 1 Hashicorp | 1 Nomad | 2020-11-02 | 6.4 MEDIUM | 9.1 CRITICAL |
| HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Fixed in 0.12.6, 0.11.5, and 0.10.6 | |||||
| CVE-2020-12757 | 1 Hashicorp | 1 Vault | 2020-10-12 | 7.5 HIGH | 9.8 CRITICAL |
| HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2. | |||||
| CVE-2020-16251 | 1 Hashicorp | 1 Vault | 2020-10-06 | 7.5 HIGH | 9.8 CRITICAL |
| HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1. | |||||
| CVE-2019-12618 | 1 Hashicorp | 1 Nomad | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver. | |||||
| CVE-2020-10661 | 1 Hashicorp | 1 Vault | 2020-03-25 | 5.8 MEDIUM | 9.1 CRITICAL |
| HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4. | |||||
| CVE-2020-7956 | 1 Hashicorp | 1 Nomad | 2020-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3. | |||||
| CVE-2018-9057 | 1 Hashicorp | 1 Terraform | 2018-04-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password. | |||||