Vulnerabilities > Hashicorp > Vault

DATE CVE VULNERABILITY TITLE RISK
2020-08-26 CVE-2020-16250 Authentication Bypass by Spoofing vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass.
network
low complexity
hashicorp CWE-290
8.2
2020-06-10 CVE-2020-13223 Information Exposure Through Log Files vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials.
network
low complexity
hashicorp CWE-532
7.5
2020-06-10 CVE-2020-12757 Improper Privilege Management vulnerability in Hashicorp Vault 1.4.0/1.4.1/1.4.2
HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting.
network
low complexity
hashicorp CWE-269
critical
9.8
2020-03-23 CVE-2020-10661 Unspecified vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact.
network
low complexity
hashicorp
critical
9.1
2020-03-23 CVE-2020-10660 Incorrect Default Permissions vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to.
network
low complexity
hashicorp CWE-276
5.3
2020-01-23 CVE-2020-7220 Improper Resource Shutdown or Release vulnerability in Hashicorp Vault
HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace.
network
low complexity
hashicorp CWE-404
7.5
2018-12-05 CVE-2018-19786 Information Exposure Through Log Files vulnerability in Hashicorp Vault
HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being reported.
network
high complexity
hashicorp CWE-532
8.1