Vulnerabilities > Hashicorp > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-24 | CVE-2020-28348 | Path Traversal vulnerability in Hashicorp Nomad HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. | 6.5 |
| 2020-11-23 | CVE-2020-28053 | Incorrect Authorization vulnerability in Hashicorp Consul HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. | 6.5 |
| 2020-09-30 | CVE-2020-25816 | Unspecified vulnerability in Hashicorp Vault HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. | 6.8 |
| 2020-07-30 | CVE-2020-15511 | Unspecified vulnerability in Hashicorp Terraform Enterprise HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when disabled, bypassing SAML enforcement. | 5.3 |
| 2020-06-11 | CVE-2020-12797 | Unspecified vulnerability in Hashicorp Consul HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. | 5.3 |
| 2020-04-28 | CVE-2020-10944 | Cross-site Scripting vulnerability in Hashicorp Nomad HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contained a cross-site scripting vulnerability such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. | 5.4 |
| 2020-03-23 | CVE-2020-10660 | Incorrect Default Permissions vulnerability in Hashicorp Vault HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. | 5.3 |
| 2020-01-31 | CVE-2020-7955 | Incorrect Authorization vulnerability in Hashicorp Consul HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. | 5.3 |
| 2018-12-09 | CVE-2018-19653 | Cryptographic Issues vulnerability in Hashicorp Consul HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. | 5.9 |
| 2018-08-25 | CVE-2018-15869 | Incorrect Permission Assignment for Critical Resource vulnerability in Hashicorp Packer An Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, may unintentionally load an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog. | 5.3 |