Filtered by vendor Hashicorp
Subscribe
Total
143 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-7220 | 1 Hashicorp | 1 Vault | 2023-12-10 | 4.3 MEDIUM | 7.5 HIGH |
HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2. | |||||
CVE-2020-7218 | 1 Hashicorp | 1 Nomad | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 0.10.3. | |||||
CVE-2019-19879 | 1 Hashicorp | 1 Sentinel | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
HashiCorp Sentinel up to 0.10.1 incorrectly parsed negation in certain policy expressions. Fixed in 0.10.2. | |||||
CVE-2020-7956 | 1 Hashicorp | 1 Nomad | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3. | |||||
CVE-2019-19316 | 1 Hashicorp | 1 Terraform | 2023-12-10 | 4.3 MEDIUM | 7.5 HIGH |
When using the Azure backend with a shared access signature (SAS), Terraform versions prior to 0.12.17 may transmit the token and state snapshot using cleartext HTTP. | |||||
CVE-2020-7955 | 1 Hashicorp | 1 Consul | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3. | |||||
CVE-2019-8336 | 1 Hashicorp | 1 Consul | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "<hidden>" as its secret is used in unusual circumstances. | |||||
CVE-2019-9764 | 1 Hashicorp | 1 Consul | 2023-12-10 | 5.8 MEDIUM | 7.4 HIGH |
HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set to true. This is fixed in 1.4.4. | |||||
CVE-2019-12291 | 1 Hashicorp | 1 Consul | 2023-12-10 | 6.4 MEDIUM | 7.5 HIGH |
HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured. | |||||
CVE-2019-12618 | 1 Hashicorp | 1 Nomad | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver. | |||||
CVE-2018-19653 | 1 Hashicorp | 1 Consul | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade. | |||||
CVE-2018-19786 | 1 Hashicorp | 1 Vault | 2023-12-10 | 4.3 MEDIUM | 8.1 HIGH |
HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being reported. | |||||
CVE-2018-15869 | 1 Hashicorp | 1 Packer | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, may unintentionally load an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog. | |||||
CVE-2017-16873 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
It is possible to exploit an unsanitized PATH in the suid binary that ships with vagrant-vmware-fusion 4.0.25 through 5.0.4 in order to escalate to root privileges. | |||||
CVE-2017-16839 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2023-12-10 | 6.9 MEDIUM | 7.0 HIGH |
Hashicorp vagrant-vmware-fusion 5.0.4 allows local users to steal root privileges if VMware Fusion is not installed. | |||||
CVE-2018-9057 | 1 Hashicorp | 1 Terraform | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned with a weak password. | |||||
CVE-2017-16512 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
The vagrant update process in Hashicorp vagrant-vmware-fusion 5.0.2 through 5.0.4 allows local users to steal root privileges via a crafted update request when no updates are available. | |||||
CVE-2017-11741 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2023-12-10 | 7.2 HIGH | 8.8 HIGH |
HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo helper scripts, allows local users to execute arbitrary code with root privileges by overwriting one of the scripts. | |||||
CVE-2017-15884 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2023-12-10 | 6.9 MEDIUM | 7.0 HIGH |
In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.0, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. | |||||
CVE-2017-16001 | 1 Hashicorp | 1 Vagrant | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.1, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. |