Vulnerabilities > Hashicorp > Vault
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-09 | CVE-2023-2121 | Cross-site Scripting vulnerability in Hashicorp Vault Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. | 5.4 |
| 2023-05-01 | CVE-2023-2197 | Inadequate Encryption Strength vulnerability in Hashicorp Vault 1.13.0 HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. | 2.5 |
| 2023-03-30 | CVE-2023-0620 | SQL Injection vulnerability in Hashicorp Vault HashiCorp Vault and Vault Enterprise versions 0.8.0 through 1.13.1 are vulnerable to an SQL injection attack when configuring the Microsoft SQL (MSSQL) Database Storage Backend. | 6.7 |
| 2023-03-30 | CVE-2023-0665 | Unspecified vulnerability in Hashicorp Vault HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. | 6.5 |
| 2023-03-30 | CVE-2023-25000 | Information Exposure Through Discrepancy vulnerability in Hashicorp Vault HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. | 4.7 |
| 2023-03-11 | CVE-2023-24999 | Incorrect Authorization vulnerability in Hashicorp Vault HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. | 8.1 |
| 2022-10-12 | CVE-2022-41316 | Improper Certificate Validation vulnerability in Hashicorp Vault HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. | 5.3 |
| 2022-09-22 | CVE-2022-40186 | Unspecified vulnerability in Hashicorp Vault An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. | 9.1 |
| 2022-07-26 | CVE-2022-36129 | Missing Authentication for Critical Function vulnerability in Hashicorp Vault HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. | 9.1 |
| 2022-05-17 | CVE-2022-30689 | Unspecified vulnerability in Hashicorp Vault 1.10.0/1.10.2 HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. | 5.3 |