Vulnerabilities > Hashicorp > Vault > High

DATE CVE VULNERABILITY TITLE RISK
2024-10-10 CVE-2024-9180 Unspecified vulnerability in Hashicorp Vault
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy.
network
low complexity
hashicorp
7.2
2023-12-08 CVE-2023-6337 Allocation of Resources Without Limits or Throttling vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client.
network
low complexity
hashicorp CWE-770
7.5
2023-11-09 CVE-2023-5954 Memory Leak vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory.
network
low complexity
hashicorp CWE-401
7.5
2023-09-29 CVE-2023-5077 Incorrect Permission Assignment for Critical Resource vulnerability in Hashicorp Vault
The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets.
network
low complexity
hashicorp CWE-732
7.5
2023-03-11 CVE-2023-24999 Incorrect Authorization vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor.
network
low complexity
hashicorp CWE-863
8.1
2021-10-11 CVE-2021-42135 Improper Privilege Management vulnerability in Hashicorp Vault 1.8.0/1.8.3
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine.
network
low complexity
hashicorp CWE-269
8.1
2021-06-03 CVE-2021-32923 Insufficient Session Expiration vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use.
network
high complexity
hashicorp CWE-613
7.4
2021-04-22 CVE-2021-29653 Improper Certificate Validation vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL.
network
low complexity
hashicorp CWE-295
7.5
2021-04-22 CVE-2021-27400 Improper Certificate Validation vulnerability in Hashicorp Vault
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters.
network
low complexity
hashicorp CWE-295
7.5
2021-02-01 CVE-2021-3282 Improper Authentication vulnerability in Hashicorp Vault 1.6.0/1.6.1
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication.
network
low complexity
hashicorp CWE-287
7.5