Shodan
Vulnerabilities
Vulnerable Software
Hashicorp:  >> Vault  >> 1.4.1  Security Vulnerabilities
CVE-2021-32923
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.
CVSS Score
7.4
EPSS Score
0.007
Published
2021-06-03
CVE-2021-27400
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1
CVSS Score
7.5
EPSS Score
0.002
Published
2021-04-22
CVE-2021-3024
HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
CVSS Score
5.3
EPSS Score
0.005
Published
2021-02-01
CVE-2020-25594
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.
CVSS Score
5.3
EPSS Score
0.005
Published
2021-02-01
CVE-2020-25816
HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4.
CVSS Score
6.8
EPSS Score
0.004
Published
2020-09-30
CVE-2020-16250
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
CVSS Score
8.2
EPSS Score
0.024
Published
2020-08-26
CVE-2020-16251
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.
CVSS Score
8.2
EPSS Score
0.009
Published
2020-08-26
CVE-2020-12757
HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.
CVSS Score
9.8
EPSS Score
0.005
Published
2020-06-10
CVE-2020-13223
HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-06-10


Products
Pricing
Contact Us

Shodan ® - All rights reserved