Filtered by vendor Hashicorp
Subscribe
Total
177 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4656 | 1 Hashicorp | 1 Vault | 2025-08-13 | N/A | 3.1 LOW |
| Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, and 1.16.22. | |||||
| CVE-2024-6468 | 1 Hashicorp | 1 Vault | 2025-08-13 | N/A | 7.5 HIGH |
| Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service. While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur. Fixed in Vault and Vault Enterprise 1.17.2, 1.16.6, and 1.15.12. | |||||
| CVE-2025-4166 | 1 Hashicorp | 1 Vault | 2025-08-12 | N/A | 4.5 MEDIUM |
| Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20. | |||||
| CVE-2025-3879 | 1 Hashicorp | 1 Vault | 2025-08-12 | N/A | 6.6 MEDIUM |
| Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18. | |||||
| CVE-2024-2660 | 1 Hashicorp | 1 Vault | 2025-08-08 | N/A | 6.4 MEDIUM |
| Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11. | |||||
| CVE-2024-2877 | 1 Hashicorp | 1 Vault | 2025-08-08 | N/A | 5.5 MEDIUM |
| Vault Enterprise, when configured with performance standby nodes and a configured audit device, will inadvertently log request headers on the standby node. These logs may have included sensitive HTTP request information in cleartext. This vulnerability, CVE-2024-2877, was fixed in Vault Enterprise 1.15.8. | |||||
| CVE-2022-40186 | 1 Hashicorp | 1 Vault | 2025-05-27 | N/A | 9.1 CRITICAL |
| An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault. | |||||
| CVE-2021-41803 | 1 Hashicorp | 1 Consul | 2025-05-27 | N/A | 7.1 HIGH |
| HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2." | |||||
| CVE-2022-40716 | 1 Hashicorp | 1 Consul | 2025-05-27 | N/A | 6.5 MEDIUM |
| HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2." | |||||
| CVE-2022-41606 | 1 Hashicorp | 1 Nomad | 2025-05-20 | N/A | 6.5 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0. | |||||
| CVE-2022-42717 | 2 Hashicorp, Linux | 2 Vagrant, Linux Kernel | 2025-05-20 | N/A | 7.8 HIGH |
| An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation, non-privileged users on the host can leverage a wildcard in the sudoers configuration to execute arbitrary commands as root. | |||||
| CVE-2025-3744 | 1 Hashicorp | 1 Nomad | 2025-05-15 | N/A | 7.6 HIGH |
| Nomad Enterprise (“Nomad”) jobs using the policy override option are bypassing the mandatory sentinel policies. This vulnerability, identified as CVE-2025-3744, is fixed in Nomad Enterprise 1.10.1, 1.9.9, and 1.8.13. | |||||
| CVE-2022-41316 | 1 Hashicorp | 1 Vault | 2025-05-15 | N/A | 5.3 MEDIUM |
| HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10. | |||||
| CVE-2022-36182 | 1 Hashicorp | 1 Boundary | 2025-05-07 | N/A | 6.1 MEDIUM |
| Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site. | |||||
| CVE-2017-7642 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| The sudo helper in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.21 allows local users to gain root privileges by leveraging failure to verify the path to the encoded ruby script or scrub the PATH variable. | |||||
| CVE-2017-15884 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2025-04-20 | 6.9 MEDIUM | 7.0 HIGH |
| In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.0, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. | |||||
| CVE-2017-12579 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| An insecure suid wrapper binary in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 4.0.24 and earlier allows a non-root user to obtain a root shell. | |||||
| CVE-2017-11741 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2025-04-20 | 7.2 HIGH | 8.8 HIGH |
| HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo helper scripts, allows local users to execute arbitrary code with root privileges by overwriting one of the scripts. | |||||
| CVE-2017-16001 | 1 Hashicorp | 1 Vagrant | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.1, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. | |||||
| CVE-2017-16777 | 1 Hashicorp | 1 Vagrant | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| If HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.3 is installed but VMware Fusion is not, a local attacker can create a fake application directory and exploit the suid sudo helper in order to escalate to root. | |||||