Vulnerabilities > Hashicorp

DATE CVE VULNERABILITY TITLE RISK
2021-10-11 CVE-2021-42135 Incorrect Authorization vulnerability in Hashicorp Vault 1.8.0/1.8.3/1.8.4
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine.
network
hashicorp CWE-863
4.9
2021-10-08 CVE-2021-41802 Incorrect Permission Assignment for Critical Resource vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities.
network
low complexity
hashicorp CWE-732
5.5
2021-10-07 CVE-2021-41865 Unspecified vulnerability in Hashicorp Nomad
HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode.
network
low complexity
hashicorp
4.0
2021-09-15 CVE-2021-40862 Exposure of Resource to Wrong Sphere vulnerability in Hashicorp Terraform Enterprise
HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration.
network
low complexity
hashicorp CWE-668
6.5
2021-09-07 CVE-2021-37218 Improper Certificate Validation vulnerability in Hashicorp Nomad
HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation.
network
low complexity
hashicorp CWE-295
6.5
2021-09-07 CVE-2021-37219 Improper Certificate Validation vulnerability in Hashicorp Consul
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation.
network
low complexity
hashicorp CWE-295
6.5
2021-09-07 CVE-2021-38698 Incorrect Authorization vulnerability in Hashicorp Consul
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic.
network
low complexity
hashicorp CWE-863
4.0
2021-08-31 CVE-2021-27668 Improper Authentication vulnerability in Hashicorp Vault
HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication.
network
low complexity
hashicorp CWE-287
5.0
2021-08-13 CVE-2021-38553 Improper Preservation of Permissions vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions.
local
low complexity
hashicorp CWE-281
2.1
2021-08-13 CVE-2021-38554 Improper Cross-boundary Removal of Sensitive Data vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser.
network
hashicorp CWE-212
3.5