Vulnerabilities
Vulnerable Software
Hashicorp:  Security Vulnerabilities
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.
CVSS Score
7.4
EPSS Score
0.021
Published
2021-06-03
HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-05-07
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1
CVSS Score
7.5
EPSS Score
0.001
Published
2021-04-22
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.
CVSS Score
7.5
EPSS Score
0.001
Published
2021-04-22
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.
CVSS Score
9.8
EPSS Score
0.006
Published
2021-04-22
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
CVSS Score
6.1
EPSS Score
0.747
Published
2021-04-20
HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10.
CVSS Score
7.5
EPSS Score
0.007
Published
2021-04-20
HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Fixed in v202103-1.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-03-26
HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
CVSS Score
5.3
EPSS Score
0.004
Published
2021-02-01
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-02-01


Contact Us

Shodan ® - All rights reserved