Vulnerabilities > Hashicorp
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-28 | CVE-2023-3774 | Improper Handling of Exceptional Conditions vulnerability in Hashicorp Vault 1.12.8/1.13.4/1.14.0 An unhandled error in Vault Enterprise's namespace creation may cause the Vault process to crash, potentially resulting in denial of service. | 4.9 |
| 2023-07-20 | CVE-2023-3072 | Missing Authorization vulnerability in Hashicorp Nomad HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results. | 3.8 |
| 2023-07-20 | CVE-2023-3299 | Exposure of Resource to Wrong Sphere vulnerability in Hashicorp Nomad HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. | 2.7 |
| 2023-07-20 | CVE-2023-3300 | Missing Authorization vulnerability in Hashicorp Nomad HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. | 5.3 |
| 2023-06-22 | CVE-2023-3114 | Incorrect Authorization vulnerability in Hashicorp Terraform Enterprise Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. | 7.7 |
| 2023-06-09 | CVE-2023-2121 | Cross-site Scripting vulnerability in Hashicorp Vault Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. | 5.4 |
| 2023-06-02 | CVE-2023-1297 | Unspecified vulnerability in Hashicorp Consul Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. | 7.5 |
| 2023-06-02 | CVE-2023-2816 | Unspecified vulnerability in Hashicorp Consul 1.15.0 Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies. | 6.5 |
| 2023-05-01 | CVE-2023-2197 | Inadequate Encryption Strength vulnerability in Hashicorp Vault 1.13.0 HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. | 2.5 |
| 2023-04-05 | CVE-2023-1782 | Missing Authorization vulnerability in Hashicorp Nomad 1.5.0 HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. | 9.8 |