CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-0475 – Go-Getter Vulnerable to Decompression Bombs
https://notcve.org/view.php?id=CVE-2023-0475
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0. A flaw was found in the HashiCorp go-getter package. Affected versions of the HashiCorp go-getter package are vulnerable to a denial of service via a malicious compressed archive. • https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125 https://access.redhat.com/security/cve/CVE-2023-0475 https://bugzilla.redhat.com/show_bug.cgi?id=2170844 • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0690 – Boundary Workers Store Rotated Credentials in Plaintext Even When a Key Management Service Configured
https://notcve.org/view.php?id=CVE-2023-0690
HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk. This issue is fixed in version 0.12.0. • https://discuss.hashicorp.com/t/hcsec-2023-03-boundary-workers-store-rotated-credentials-in-plaintext-even-when-key-management-service-configured/49907 • CWE-311: Missing Encryption of Sensitive Data CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14802
https://notcve.org/view.php?id=CVE-2019-14802
HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template. HashiCorp Nomad 0.5.0 a 0.9.4 (corregido en 0.9.5) revela variables de entorno no deseadas en la tarea de renderizado durante el renderizado de la plantilla, también conocido como GHSA-6hv3-7c34-4hx8. Esto se aplica a nomad/client/allocrunner/taskrunner/template. • https://advisories.gitlab.com/advisory/advgo_github_com_hashicorp_nomad_client_allocrunner_taskrunner_template_GMS_2022_818.html https://www.hashicorp.com/blog/category/nomad •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-3920 – Consul Peering Imported Nodes/Services Leak
https://notcve.org/view.php?id=CVE-2022-3920
HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0. HashiCorp Consul y Consul Enterprise 1.13.0 hasta 1.13.3 no filtran los nodos y servicios importados del filtrado de clústeres para los endpoints HTTP o RPC utilizados por la interfaz de usuario. Se corrigió en la versión 1.14.0. • https://discuss.hashicorp.com/t/hcsec-2022-28-consul-cluster-peering-leaks-imported-nodes-services-information/46946 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2022-3867 – Nomad Event Stream Subscriber Using a Token with TTL Receives Updates Until Garbage Collected
https://notcve.org/view.php?id=CVE-2022-3867
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2. Los suscriptores de flujo de eventos de HashiCorp Nomad y Nomad Enterprise 1.4.0 hasta 1.4.1 que usan un token con TTL reciben actualizaciones hasta que se recolecta la basura del token. Corregido en 1.4.2. • https://discuss.hashicorp.com/t/hcsec-2022-26-nomad-s-event-stream-subscriber-using-acl-token-with-ttl-receive-updates-until-garbage-collected/46168 • CWE-613: Insufficient Session Expiration •