Hashicorp

Vault

66 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2024-2048

  • EPSS 0.19%
  • Veröffentlicht 04.03.2024 20:15:50
  • Zuletzt bearbeitet 06.08.2025 14:17:57

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious cert...

6.5

CVE-2024-0831

Exploit
  • EPSS 0.16%
  • Veröffentlicht 01.02.2024 02:15:46
  • Zuletzt bearbeitet 21.11.2024 08:47:28

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `lo...

7.5

CVE-2023-6337

  • EPSS 0.77%
  • Veröffentlicht 08.12.2023 22:15:07
  • Zuletzt bearbeitet 13.02.2025 18:16:08

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request...

7.5

CVE-2023-5954

  • EPSS 0.37%
  • Veröffentlicht 09.11.2023 21:15:25
  • Zuletzt bearbeitet 21.11.2024 08:42:51

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

7.5

CVE-2023-5077

  • EPSS 0.21%
  • Veröffentlicht 29.09.2023 00:15:12
  • Zuletzt bearbeitet 21.11.2024 08:41:01

The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.

4.9

CVE-2023-3775

  • EPSS 0.23%
  • Veröffentlicht 29.09.2023 00:15:12
  • Zuletzt bearbeitet 21.11.2024 08:18:02

A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace, potentially resulting in denial of service. Fixed in Vau...

6.8

CVE-2023-4680

  • EPSS 1.52%
  • Veröffentlicht 15.09.2023 00:15:07
  • Zuletzt bearbeitet 21.11.2024 08:35:40

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrar...

5.3

CVE-2023-3462

  • EPSS 0.74%
  • Veröffentlicht 31.07.2023 23:15:10
  • Zuletzt bearbeitet 21.11.2024 08:17:19

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on...

4.9

CVE-2023-3774

  • EPSS 0.49%
  • Veröffentlicht 28.07.2023 01:15:09
  • Zuletzt bearbeitet 21.11.2024 08:18:02

An unhandled error in Vault Enterprise's namespace creation may cause the Vault process to crash, potentially resulting in denial of service. Fixed in 1.14.1, 1.13.5, and 1.12.9.

5.4

CVE-2023-2121

  • EPSS 0.49%
  • Veröffentlicht 09.06.2023 17:15:09
  • Zuletzt bearbeitet 21.11.2024 07:57:58

Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.