Filtered by vendor Hashicorp
Subscribe
Total
143 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-1297 | 1 Hashicorp | 1 Consul | 2023-12-10 | N/A | 7.5 HIGH |
Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3 | |||||
CVE-2023-0665 | 1 Hashicorp | 1 Vault | 2023-12-10 | N/A | 6.5 MEDIUM |
HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9. | |||||
CVE-2023-25000 | 1 Hashicorp | 1 Vault | 2023-12-10 | N/A | 4.7 MEDIUM |
HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9. | |||||
CVE-2023-0620 | 1 Hashicorp | 1 Vault | 2023-12-10 | N/A | 6.7 MEDIUM |
HashiCorp Vault and Vault Enterprise versions 0.8.0 through 1.13.1 are vulnerable to an SQL injection attack when configuring the Microsoft SQL (MSSQL) Database Storage Backend. When configuring the MSSQL plugin through the local, certain parameters are not sanitized when passed to the user-provided MSSQL database. An attacker may modify these parameters to execute a malicious SQL command. This issue is fixed in versions 1.13.1, 1.12.5, and 1.11.9. | |||||
CVE-2023-3114 | 1 Hashicorp | 1 Terraform Enterprise | 2023-12-10 | N/A | 7.7 HIGH |
Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged workspace in the same organization that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in Terraform Enterprise v202306-1. | |||||
CVE-2023-2816 | 1 Hashicorp | 1 Consul | 2023-12-10 | N/A | 6.5 MEDIUM |
Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies. | |||||
CVE-2019-14802 | 1 Hashicorp | 1 Nomad | 2023-12-10 | N/A | 5.3 MEDIUM |
HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template. | |||||
CVE-2023-0845 | 1 Hashicorp | 1 Consul | 2023-12-10 | N/A | 6.5 MEDIUM |
Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5. | |||||
CVE-2023-0475 | 1 Hashicorp | 1 Go-getter | 2023-12-10 | N/A | 6.5 MEDIUM |
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0. | |||||
CVE-2023-0690 | 1 Hashicorp | 1 Boundary | 2023-12-10 | N/A | 7.1 HIGH |
HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk. This issue is fixed in version 0.12.0. | |||||
CVE-2023-0821 | 1 Hashicorp | 1 Nomad | 2023-12-10 | N/A | 6.5 MEDIUM |
HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4. | |||||
CVE-2023-1299 | 1 Hashicorp | 1 Nomad | 2023-12-10 | N/A | 8.8 HIGH |
HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1. | |||||
CVE-2023-24999 | 1 Hashicorp | 1 Vault | 2023-12-10 | N/A | 8.1 HIGH |
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. | |||||
CVE-2023-1296 | 1 Hashicorp | 1 Nomad | 2023-12-10 | N/A | 5.3 MEDIUM |
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables. Fixed in 1.4.6 and 1.5.1. | |||||
CVE-2022-36130 | 1 Hashicorp | 1 Boundary | 2023-12-10 | N/A | 9.9 CRITICAL |
HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct scopes, allowing potential privilege escalation for authorized users of another scope. Fixed in Boundary 0.10.2. | |||||
CVE-2022-42717 | 2 Hashicorp, Linux | 2 Vagrant, Linux Kernel | 2023-12-10 | N/A | 7.8 HIGH |
An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation, non-privileged users on the host can leverage a wildcard in the sudoers configuration to execute arbitrary commands as root. | |||||
CVE-2022-38149 | 1 Hashicorp | 1 Consul Template | 2023-12-10 | N/A | 7.5 HIGH |
HashiCorp Consul Template up to 0.27.2, 0.28.2, and 0.29.1 may expose the contents of Vault secrets in the error returned by the *template.Template.Execute method, when given a template using Vault secret contents incorrectly. Fixed in 0.27.3, 0.28.3, and 0.29.2. | |||||
CVE-2022-36129 | 1 Hashicorp | 1 Vault | 2023-12-10 | N/A | 9.1 CRITICAL |
HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. Fixed in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1. | |||||
CVE-2022-3867 | 1 Hashicorp | 1 Nomad | 2023-12-10 | N/A | 4.3 MEDIUM |
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2. | |||||
CVE-2022-41316 | 1 Hashicorp | 1 Vault | 2023-12-10 | N/A | 5.3 MEDIUM |
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10. |