Hashicorp

Vault

66 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2022-25243

  • EPSS 0.25%
  • Published 10.03.2022 17:47:06
  • Last modified 21.11.2024 06:51:51

"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains i...

6.8

CVE-2021-45042

  • EPSS 0.44%
  • Published 17.12.2021 14:15:07
  • Last modified 21.11.2024 06:31:51

In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial ...

6.5

CVE-2021-43998

  • EPSS 0.14%
  • Published 30.11.2021 15:15:07
  • Last modified 21.11.2024 06:30:10

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorre...

8.1

CVE-2021-42135

  • EPSS 0.25%
  • Published 11.10.2021 03:15:06
  • Last modified 21.11.2024 06:27:20

HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read p...

5.5

CVE-2021-41802

  • EPSS 0.25%
  • Published 08.10.2021 17:15:07
  • Last modified 21.11.2024 06:26:47

HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and V...

5.3

CVE-2021-27668

  • EPSS 0.35%
  • Published 31.08.2021 18:15:07
  • Last modified 21.11.2024 05:58:24

HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.

5.3

CVE-2021-38554

  • EPSS 0.31%
  • Published 13.08.2021 16:15:08
  • Last modified 21.11.2024 06:17:25

HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.

4.4

CVE-2021-38553

  • EPSS 0.09%
  • Published 13.08.2021 16:15:08
  • Last modified 21.11.2024 06:17:25

HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.

7.4

CVE-2021-32923

  • EPSS 0.68%
  • Published 03.06.2021 11:15:08
  • Last modified 21.11.2024 06:07:56

HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequen...

7.5

CVE-2021-29653

  • EPSS 0.1%
  • Published 22.04.2021 17:15:07
  • Last modified 21.11.2024 06:01:34

HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.