CVSS: 7.5EPSS: 1%CPEs: 6EXPL: 0CVE-2021-32574 – Gentoo Linux Security Advisory 202208-09
https://notcve.org/view.php?id=CVE-2021-32574
17 Jul 2021 — HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1. HashiCorp Consul y Consul Enterprise versión 1.3.0 hasta la versión 1.10.0 La configuración del proxy TLS de Envoy no valida la identidad del servicio de destino en el nombre alternativo del asunto codificado. Corregido en las versiones 1.8.14, 1.9.8 y 1.10.1 Multiple vulnerabilities have been dis... • https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856 • CWE-295: Improper Certificate Validation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-32575
https://notcve.org/view.php?id=CVE-2021-32575
17 Jun 2021 — HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1. HashiCorp Nomad y Nomad Enterprise versiones hasta 1.0.4, el modo de red bridge permite la suplantación de ARP desde otras tareas de bridged en el mismo nodo. Corregido en versiones 0.12.12, 1.0.5 y 1.1.0 RC1 • https://discuss.hashicorp.com/t/hcsec-2021-14-nomad-bridge-networking-mode-allows-arp-spoofing-from-other-bridged-tasks-on-same-node/24296 •
CVSS: 7.4EPSS: 2%CPEs: 6EXPL: 0CVE-2021-32923 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-32923
03 Jun 2021 — HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. HashiCorp Vault y Vault Enterprise permitían la renovación de los contratos de alquiler de tokens casi caducados y de los contratos de alquiler de secretos dinámicos (concretamente, los que estaban a menos de 1 segundo de... • https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603 • CWE-613: Insufficient Session Expiration •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-32074
https://notcve.org/view.php?id=CVE-2021-32074
07 May 2021 — HashiCorp vault-action (aka Vault GitHub Action) before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking. HashiCorp vault-action (también se conoce como Vault GitHub Action) versiones anteriores a 2.2.0, permite a atacantes conseguir información confidencial de archivos de registro porque un secreto de múltiples líneas no fue registrado correctamente con GitHub Actions para el enmascaramiento de... • https://discuss.hashicorp.com/t/hcsec-2021-13-vault-github-action-did-not-correctly-mask-multi-line-secrets-in-output/24128 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-27400
https://notcve.org/view.php?id=CVE-2021-27400
22 Apr 2021 — HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1 Las integraciones de HashiCorp Vault y Vault Enterprise Cassandra (backend de almacenamiento y plugin del motor de secretos de la base de datos) no comprobaban los certificados TLS al conectarse a los clústeres de Cassandra. Corregido en 1.6.4 y 1.7.1 • https://discuss.hashicorp.com/t/hcsec-2021-10-vault-s-cassandra-integrations-did-not-validate-tls-certificates/23463 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-29653
https://notcve.org/view.php?id=CVE-2021-29653
22 Apr 2021 — HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1. HashiCorp Vault y Vault Enterprise versiones 1.5.1 y posteriores, bajo determinadas circunstancias, pueden excluir certificados revocados pero no vencidos de la CRL. Corregido en versiones 1.5.8, 1.6.4 y 1.7.1 • https://discuss.hashicorp.com/t/hcsec-2021-09-vault-s-pki-engine-crl-may-exclude-revoked-but-unexpired-certificates-after-tidy/23461/2 • CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30476
https://notcve.org/view.php?id=CVE-2021-30476
22 Apr 2021 — HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1. Vault Provider (terraform-provider-vault) de HashiCorp Terraform no configuró correctamente las etiquetas enlazadas de tipo GCE para el método de autenticación de GCP de Vault. Corregido en la versión 2.19.1 • https://discuss.hashicorp.com/t/hcsec-2021-11-terraform-s-vault-provider-did-not-correctly-configure-bound-labels-for-gcp-auth/23464/2 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-28156 – Gentoo Linux Security Advisory 202208-09
https://notcve.org/view.php?id=CVE-2021-28156
20 Apr 2021 — HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10. El registro de auditoría de HashiCorp Consul Enterprise versión 1.8.0 hasta 1.9.4 puede ser omitido por eventos HTTP específicamente diseñados. Corregido en versiones 1.9.5 y 1.8.10 Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst of which could result in denial of service. Versions less than 1.9.17 are affected. • https://discuss.hashicorp.com/t/hcsec-2021-08-consul-enterprise-audit-log-bypass-for-http-events/23369 •
CVSS: 6.1EPSS: 74%CPEs: 6EXPL: 0CVE-2020-25864 – Gentoo Linux Security Advisory 202208-09
https://notcve.org/view.php?id=CVE-2020-25864
20 Apr 2021 — HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. El modo sin procesar de HashiCorp Consul y Consul Enterprise hasta versión 1.9.4, key-value (KV) era vulnerable a un ataque de tipo cross-site scripting. Corregido en versiones 1.9.5, 1.8.10 y 1.7.14 Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst of which could result in denial of service. Versions less than 1.9.17 ar... • https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3153
https://notcve.org/view.php?id=CVE-2021-3153
26 Mar 2021 — HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an organization-level setting that required users within an organization to have two-factor authentication enabled. Fixed in v202103-1. HashiCorp Terraform Enterpriha sidosta v202102-2 no logró aplicar una configuración a nivel de organización que requerían usuarios dentro de una organización para tener habilitada la autenticación de dos factores. Corregido en la versión v202103-1. • https://discuss.hashicorp.com/t/hcsec-2021-06-terraform-enterprise-organization-level-mfa-requirement-was-not-enforced/22401 • CWE-287: Improper Authentication •