Hashicorp

Vault

66 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2024-2048

  • EPSS 0.19%
  • Published 04.03.2024 20:15:50
  • Last modified 06.08.2025 14:17:57

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious cert...

6.5

CVE-2024-0831

Exploit
  • EPSS 0.16%
  • Published 01.02.2024 02:15:46
  • Last modified 21.11.2024 08:47:28

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `lo...

7.5

CVE-2023-6337

  • EPSS 0.77%
  • Published 08.12.2023 22:15:07
  • Last modified 13.02.2025 18:16:08

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request...

7.5

CVE-2023-5954

  • EPSS 0.37%
  • Published 09.11.2023 21:15:25
  • Last modified 21.11.2024 08:42:51

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

7.5

CVE-2023-5077

  • EPSS 0.21%
  • Published 29.09.2023 00:15:12
  • Last modified 21.11.2024 08:41:01

The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.

4.9

CVE-2023-3775

  • EPSS 0.23%
  • Published 29.09.2023 00:15:12
  • Last modified 21.11.2024 08:18:02

A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace, potentially resulting in denial of service. Fixed in Vau...

6.8

CVE-2023-4680

  • EPSS 1.52%
  • Published 15.09.2023 00:15:07
  • Last modified 21.11.2024 08:35:40

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrar...

5.3

CVE-2023-3462

  • EPSS 0.74%
  • Published 31.07.2023 23:15:10
  • Last modified 21.11.2024 08:17:19

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on...

4.9

CVE-2023-3774

  • EPSS 0.49%
  • Published 28.07.2023 01:15:09
  • Last modified 21.11.2024 08:18:02

An unhandled error in Vault Enterprise's namespace creation may cause the Vault process to crash, potentially resulting in denial of service. Fixed in 1.14.1, 1.13.5, and 1.12.9.

5.4

CVE-2023-2121

  • EPSS 0.49%
  • Published 09.06.2023 17:15:09
  • Last modified 21.11.2024 07:57:58

Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.