Vulnerabilities > Hashicorp

DATE CVE VULNERABILITY TITLE RISK
2023-03-14 CVE-2023-1296 Missing Authorization vulnerability in Hashicorp Nomad
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correctly enforce deny policies applied to a workload’s variables.
network
low complexity
hashicorp CWE-862
5.3
2023-03-14 CVE-2023-1299 Unspecified vulnerability in Hashicorp Nomad 1.5.0
HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API.
network
low complexity
hashicorp
8.8
2023-03-11 CVE-2023-24999 Incorrect Authorization vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor.
network
low complexity
hashicorp CWE-863
8.1
2023-03-09 CVE-2023-0845 NULL Pointer Dereference vulnerability in Hashicorp Consul
Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances.
network
low complexity
hashicorp CWE-476
6.5
2023-02-16 CVE-2023-0821 Unspecified vulnerability in Hashicorp Nomad
HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage.
network
low complexity
hashicorp
6.5
2023-02-16 CVE-2023-0475 Unspecified vulnerability in Hashicorp Go-Getter
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs.
network
low complexity
hashicorp
6.5
2023-02-08 CVE-2023-0690 Missing Encryption of Sensitive Data vulnerability in Hashicorp Boundary
HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS.
local
low complexity
hashicorp CWE-311
7.1
2022-11-16 CVE-2022-3920 Missing Authorization vulnerability in Hashicorp Consul 1.13.0/1.13.1/1.13.2
HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI.
network
low complexity
hashicorp CWE-862
7.5
2022-11-10 CVE-2022-3866 Exposure of Resource to Wrong Sphere vulnerability in Hashicorp Nomad 1.4.0/1.4.1
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace.
network
low complexity
hashicorp CWE-668
4.3
2022-11-10 CVE-2022-3867 Insufficient Session Expiration vulnerability in Hashicorp Nomad 1.4.0/1.4.1
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected.
network
low complexity
hashicorp CWE-613
4.3