Vulnerabilities > Hashicorp

DATE CVE VULNERABILITY TITLE RISK
2024-10-30 CVE-2024-10005 Path Traversal vulnerability in Hashicorp Consul
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.
network
low complexity
hashicorp CWE-22
5.8
2024-10-30 CVE-2024-10006 Improper Encoding or Escaping of Output vulnerability in Hashicorp Consul
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.
network
low complexity
hashicorp CWE-116
5.8
2024-10-30 CVE-2024-10086 Cross-site Scripting vulnerability in Hashicorp Consul
A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.
network
low complexity
hashicorp CWE-79
6.1
2024-10-29 CVE-2024-10228 Incorrect Permission Assignment for Critical Resource vulnerability in Hashicorp Vagrant VMWare Utility
The Vagrant VMWare Utility Windows installer targeted a custom location with a non-protected path that could be modified by an unprivileged user, introducing potential for unauthorized file system writes.
local
low complexity
hashicorp CWE-732
3.3
2024-10-10 CVE-2024-9180 Unspecified vulnerability in Hashicorp Vault
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy.
network
low complexity
hashicorp
7.2
2024-09-02 CVE-2024-8365 Information Exposure Through Log Files vulnerability in Hashicorp Vault
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed.
network
low complexity
hashicorp CWE-532
6.5
2024-06-24 CVE-2024-6104 Information Exposure Through Log Files vulnerability in Hashicorp Retryablehttp
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file.
local
low complexity
hashicorp CWE-532
5.5
2024-02-08 CVE-2024-1329 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Hashicorp Nomad 1.5.13/1.6.6/1.7.3.
HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks.
network
low complexity
hashicorp CWE-610
7.5
2024-02-05 CVE-2024-1052 Improper Certificate Validation vulnerability in Hashicorp Boundary
Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering.
network
high complexity
hashicorp CWE-295
8.0
2024-02-01 CVE-2024-0831 Information Exposure Through Log Files vulnerability in Hashicorp Vault
Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.
network
low complexity
hashicorp CWE-532
6.5