Vulnerabilities > Hashicorp > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-13 | CVE-2021-38553 | Improper Preservation of Permissions vulnerability in Hashicorp Vault HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. | 4.4 |
| 2021-08-13 | CVE-2021-38554 | Improper Cross-boundary Removal of Sensitive Data vulnerability in Hashicorp Vault HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. | 5.3 |
| 2021-06-17 | CVE-2021-32575 | Unspecified vulnerability in Hashicorp Nomad HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. low complexity hashicorp | 6.5 |
| 2021-04-20 | CVE-2020-25864 | Cross-site Scripting vulnerability in Hashicorp Consul HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. | 6.1 |
| 2021-03-26 | CVE-2021-3153 | Improper Authentication vulnerability in Hashicorp Terraform Enterprise 2020071 HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. | 6.5 |
| 2021-02-01 | CVE-2021-3024 | Unspecified vulnerability in Hashicorp Vault HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. | 5.3 |
| 2021-02-01 | CVE-2020-25594 | Unspecified vulnerability in Hashicorp Vault HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. | 5.3 |
| 2021-01-21 | CVE-2020-8567 | Path Traversal vulnerability in multiple products Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods. | 6.5 |
| 2020-12-17 | CVE-2020-35453 | Unspecified vulnerability in Hashicorp Vault HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. | 5.3 |
| 2020-12-17 | CVE-2020-35177 | Information Exposure Through an Error Message vulnerability in Hashicorp Vault HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. | 5.3 |