Hashicorp: Security Vulnerabilities
HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. Fixed in 1.10.3.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-05-17
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
CVSS Score
5.5
EPSS Score
0.001
Published
2022-04-27
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
CVSS Score
7.5
EPSS Score
0.869
Published
2022-04-19
Sentinel 1.8.2 is vulnerable to Server-side request forgery (SSRF).
CVSS Score
7.5
EPSS Score
0.777
Published
2022-03-23
"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4.
CVSS Score
6.5
EPSS Score
0.002
Published
2022-03-10
Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-03-10
HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6.
CVSS Score
7.5
EPSS Score
0.007
Published
2022-02-28
HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1.
CVSS Score
7.5
EPSS Score
0.003
Published
2022-02-25
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service that can cause Consul servers to panic. Fixed in 1.9.15, 1.10.8, and 1.11.3.
CVSS Score
6.5
EPSS Score
0.004
Published
2022-02-24
HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root.
CVSS Score
7.5
EPSS Score
0.005
Published
2022-02-17