Search
Total
10 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6337 | 1 Hashicorp | 1 Vault | 2024-01-12 | N/A | 7.5 HIGH |
| HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash. Fixed in Vault 1.15.4, 1.14.8, 1.13.12. | |||||
| CVE-2023-5954 | 1 Hashicorp | 1 Vault | 2023-12-27 | N/A | 7.5 HIGH |
| HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10. | |||||
| CVE-2021-42135 | 1 Hashicorp | 1 Vault | 2022-07-12 | 4.9 MEDIUM | 8.1 HIGH |
| HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials. | |||||
| CVE-2020-13223 | 1 Hashicorp | 1 Vault | 2022-02-21 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2. | |||||
| CVE-2020-7220 | 1 Hashicorp | 1 Vault | 2021-07-21 | 4.3 MEDIUM | 7.5 HIGH |
| HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2. | |||||
| CVE-2021-32923 | 1 Hashicorp | 1 Vault | 2021-06-16 | 5.8 MEDIUM | 7.4 HIGH |
| HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. | |||||
| CVE-2021-29653 | 1 Hashicorp | 1 Vault | 2021-04-29 | 4.3 MEDIUM | 7.5 HIGH |
| HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1. | |||||
| CVE-2021-27400 | 1 Hashicorp | 1 Vault | 2021-04-27 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1 | |||||
| CVE-2021-3282 | 1 Hashicorp | 1 Vault | 2021-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2. | |||||
| CVE-2018-19786 | 1 Hashicorp | 1 Vault | 2018-12-27 | 4.3 MEDIUM | 8.1 HIGH |
| HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being reported. | |||||