Vulnerabilities > Hashicorp

DATE CVE VULNERABILITY TITLE RISK
2021-07-20 CVE-2021-36230 Incorrect Authorization vulnerability in Hashicorp Terraform
HashiCorp Terraform Enterprise releases up to v202106-1 did not properly perform authorization checks on a subset of API requests executed using the run token, allowing privilege escalation to organization owner.
network
low complexity
hashicorp CWE-863
6.5
2021-07-17 CVE-2021-32574 Improper Certificate Validation vulnerability in Hashicorp Consul
HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name.
network
low complexity
hashicorp CWE-295
5.0
2021-07-17 CVE-2021-36213 Unspecified vulnerability in Hashicorp Consul
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic.
network
low complexity
hashicorp
5.0
2021-06-17 CVE-2021-32575 Unspecified vulnerability in Hashicorp Nomad
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node.
low complexity
hashicorp
3.3
2021-06-03 CVE-2021-32923 Insufficient Session Expiration vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use.
network
hashicorp CWE-613
5.8
2021-05-07 CVE-2021-32074 Information Exposure Through LOG Files vulnerability in Hashicorp Vault-Action
HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking.
network
low complexity
hashicorp CWE-532
5.0
2021-04-22 CVE-2021-30476 Unspecified vulnerability in Hashicorp Terraform Provider
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method.
network
low complexity
hashicorp
7.5
2021-04-22 CVE-2021-29653 Improper Certificate Validation vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL.
network
hashicorp CWE-295
4.3
2021-04-22 CVE-2021-27400 Improper Certificate Validation vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters.
network
low complexity
hashicorp CWE-295
5.0
2021-04-20 CVE-2020-25864 Cross-Site Scripting vulnerability in Hashicorp Consul
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting.
network
hashicorp CWE-79
4.3