Vulnerabilities > Hashicorp
|2021-07-20||CVE-2021-36230|| Incorrect Authorization vulnerability in Hashicorp Terraform |
HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token, allowing privilege escalation to organization owner.
| 6.5 |
|2021-07-17||CVE-2021-32574|| Improper Certificate Validation vulnerability in Hashicorp Consul |
HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name.
| 5.0 |
|2021-07-17||CVE-2021-36213|| Unspecified vulnerability in Hashicorp Consul |
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic.
| 5.0 |
|2021-06-17||CVE-2021-32575|| Unspecified vulnerability in Hashicorp Nomad |
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node.
| 3.3 |
|2021-06-03||CVE-2021-32923|| Insufficient Session Expiration vulnerability in Hashicorp Vault |
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use.
| 5.8 |
|2021-05-07||CVE-2021-32074|| Information Exposure Through LOG Files vulnerability in Hashicorp Vault-Action |
HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking.
| 5.0 |
|2021-04-22||CVE-2021-30476|| Unspecified vulnerability in Hashicorp Terraform Provider |
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method.
| 7.5 |
|2021-04-22||CVE-2021-29653|| Improper Certificate Validation vulnerability in Hashicorp Vault |
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL.
| 4.3 |
|2021-04-22||CVE-2021-27400|| Improper Certificate Validation vulnerability in Hashicorp Vault |
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters.
| 5.0 |
|2021-04-20||CVE-2020-25864|| Cross-Site Scripting vulnerability in Hashicorp Consul |
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting.
| 4.3 |