CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-25243
https://notcve.org/view.php?id=CVE-2022-25243
"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4. Vault y Vault Enterprise versiones 1.8.0 a 1.8.8, y 1.9.3, permitían que el motor de secretos PKI, bajo determinadas configuraciones, emitiera certificados comodín a usuarios autorizados para un dominio especificado, incluso si el atributo de la política de rol PKI allow_subdomains está establecido en falso. Corregido en Vault Enterprise versiones 1.8.9 y 1.9.4 • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-09-vault-pki-secrets-engine-policy-results-in-incorrect-wildcard-certificate-issuance/36600 https://security.gentoo.org/glsa/202207-01 • CWE-295: Improper Certificate Validation •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-25244
https://notcve.org/view.php?id=CVE-2022-25244
Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10. Los clústeres de Vault Enterprise usando la funcionalidad tokenization transform pueden exponer la clave de tokenización mediante el endpoint de configuración de la clave de tokenización a operadores autorizados con permisos "read" en este endpoint. Corregido en Vault Enterprise versiones 1.9.4, 1.8.9 y 1.7.10 • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-08-vault-enterprise-s-tokenization-transform-configuration-endpoint-may-expose-transform-key/36599 •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-24685
https://notcve.org/view.php?id=CVE-2022-24685
HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. Fixed in 1.0.18, 1.1.12, and 1.2.6. HashiCorp Nomad y Nomad Enterprise versiones 1.0.17, 1.1.11 y 1.2.5 permiten HCL no válidos para el punto final de análisis de trabajos, lo que puede causar un uso excesivo de la CPU. Corregido en las versiones 1.0.18, 1.1.12 y 1.2.6. • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/35561 https://security.netapp.com/advisory/ntap-20220331-0007 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25374
https://notcve.org/view.php?id=CVE-2022-25374
HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. Fixed in v202202-1. HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1 y v202201-2 estaban configurados para registrar las peticiones HTTP entrantes de forma que podían capturar datos sensibles. Corregido en v202202-1 • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-06-terraform-enterprise-may-capture-sensitive-data-in-logs • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-24687
https://notcve.org/view.php?id=CVE-2022-24687
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service that can cause Consul servers to panic. Fixed in 1.9.15, 1.10.8, and 1.11.3. Los clusters de HashiCorp Consul y Consul Enterprise versiones 1.9.0 a 1.9.14, 1.10.7 y 1.11.2 con al menos un Ingress Gateway permiten que un usuario con service:write registre un servicio específicamente definido que puede hacer que los servidores de Consul entren en pánico. Corregido en las versiones 1.9.15, 1.10.8 y 1.11.3 • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-05-consul-ingress-gateway-panic-can-shutdown-servers https://security.gentoo.org/glsa/202208-09 https://security.netapp.com/advisory/ntap-20220331-0006 •