CVSS: 9.1EPSS: 0%CPEs: 6EXPL: 0CVE-2020-27195
https://notcve.org/view.php?id=CVE-2020-27195
HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Fixed in 0.12.6, 0.11.5, and 0.10.6 HashiCorp Nomad y Nomad Enterprise versiones 0.9.0 hasta 0.12.5, la funcionalidad client file sandbox puede ser subvertido usando la plantilla o estrofas de artefacto. Corregido en las versiones 0.12.6, 0.11.5 y 0.10.6 • https://github.com/hashicorp/nomad/blob/master/CHANGELOG.md#0126-october-21-2020 https://www.nomadproject.io/downloads •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-25816
https://notcve.org/view.php?id=CVE-2020-25816
HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4. Las versiones 1.0 y posteriores de HashiCorp Vault y Vault Enterprise permitían que los contratos de arrendamiento creados con un testigo de lote sobrevivieran a su TTL porque el tiempo de caducidad no estaba programado correctamente. Corregido en las versiones 1.4.7 y 1.5.4 • https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#154 https://www.hashicorp.com/blog/category/vault •
CVSS: 8.2EPSS: 0%CPEs: 8EXPL: 0CVE-2020-16251 – vault: GCP Auth Method Allows Authentication Bypass
https://notcve.org/view.php?id=CVE-2020-16251
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1. HashiCorp Vault y Vault Enterprise versiones 0.8.3 y posteriores, cuando son configuradas con el método de autenticación GCP GCE, pueden ser vulnerables a una omisión de autenticación. Corregido en las versiones 1.2.5, 1.3.8, 1.4.4 y 1.5.1 A flaw was found in Vault and Vault Enterprise (“Vault”). In affected versions of Vault, with the GCP Auth Method configured and under certain circumstances, the values relied upon by Vault to validate Google Compute Engine (GCE) VMs may be manipulated and bypass authentication. • http://packetstormsecurity.com/files/159479/Hashicorp-Vault-GCP-IAM-Integration-Authentication-Bypass.html https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151 https://www.hashicorp.com/blog/category/vault https://access.redhat.com/security/cve/CVE-2020-16251 https://bugzilla.redhat.com/show_bug.cgi?id=2167340 • CWE-287: Improper Authentication •
CVSS: 8.2EPSS: 0%CPEs: 8EXPL: 0CVE-2020-16250 – vault: Hashicorp Vault AWS IAM Integration Authentication Bypass
https://notcve.org/view.php?id=CVE-2020-16250
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.. HashiCorp Vault y Vault Enterprise versiones 0.7.1 y posteriores, cuando son configuradas con el método de autenticación AWS IAM, pueden ser vulnerables a una omisión de autenticación. Corregido en 1.2.5, 1.3.8, 1.4.4 y 1.5.1.. A flaw was found in Vault and Vault Enterprise (“Vault”). • http://packetstormsecurity.com/files/159478/Hashicorp-Vault-AWS-IAM-Integration-Authentication-Bypass.html https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151 https://www.hashicorp.com/blog/category/vault https://access.redhat.com/security/cve/CVE-2020-16250 https://bugzilla.redhat.com/show_bug.cgi?id=2167337 • CWE-290: Authentication Bypass by Spoofing CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24359
https://notcve.org/view.php?id=CVE-2020-24359
HashiCorp vault-ssh-helper up to and including version 0.1.6 incorrectly accepted Vault-issued SSH OTPs for the subnet in which a host's network interface was located, rather than the specific IP address assigned to that interface. Fixed in 0.2.0. HashiCorp vault-ssh-helper versiones hasta 0.1.6 incluyéndola, aceptó incorrectamente OTPs SSH Vault-issued para la subred en la que se encontraba la interfaz de red del host, en lugar de la dirección IP específica asignada a esa interfaz. Corregido en la versión 0.2.0. • https://github.com/hashicorp/vault-ssh-helper/blob/master/CHANGELOG.md#020-august-19-2020 https://github.com/hashicorp/vault-ssh-helper/releases • CWE-20: Improper Input Validation •