Hashicorp: >> Vault >> 1.6.1 Security Vulnerabilities
HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
CVSS Score
5.3
EPSS Score
0.004
Published
2021-02-01
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-02-01
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
CVSS Score
5.3
EPSS Score
0.004
Published
2021-02-01
Page 3