Vulnerabilities > Hashicorp > Vault

DATE CVE VULNERABILITY TITLE RISK
2022-03-10 CVE-2022-25243 Improper Certificate Validation vulnerability in Hashicorp Vault
"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false.
network
low complexity
hashicorp CWE-295
6.5
2022-03-10 CVE-2022-25244 Unspecified vulnerability in Hashicorp Vault
Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint.
network
low complexity
hashicorp
6.5
2021-12-17 CVE-2021-45042 Unspecified vulnerability in Hashicorp Vault
In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend.
network
low complexity
hashicorp
4.9
2021-11-30 CVE-2021-43998 Incorrect Permission Assignment for Critical Resource vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement.
network
low complexity
hashicorp CWE-732
6.5
2021-10-11 CVE-2021-42135 Improper Privilege Management vulnerability in Hashicorp Vault 1.8.0/1.8.3/1.8.4
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine.
network
low complexity
hashicorp CWE-269
8.1
2021-10-08 CVE-2021-41802 Incorrect Permission Assignment for Critical Resource vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities.
network
low complexity
hashicorp CWE-732
5.4
2021-08-31 CVE-2021-27668 Missing Authentication for Critical Function vulnerability in Hashicorp Vault
HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication.
network
low complexity
hashicorp CWE-306
5.3
2021-08-13 CVE-2021-38553 Improper Preservation of Permissions vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions.
local
low complexity
hashicorp CWE-281
4.4
2021-08-13 CVE-2021-38554 Improper Cross-boundary Removal of Sensitive Data vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser.
network
high complexity
hashicorp CWE-212
5.3
2021-06-03 CVE-2021-32923 Insufficient Session Expiration vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use.
network
high complexity
hashicorp CWE-613
7.4