CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-45042 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-45042
17 Dec 2021 — In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0. En HashiCorp Vault y Vault Enterprise versiones anteriores a 1.7.7, 1.8.x anteriores a 1.8.6 y 1.9.x anteriores a 1.9.1, los clusters que usaban el backend de almacenamiento integrado per... • https://discuss.hashicorp.com/t/hcsec2-21-33-vault-s-kv-secrets-engine-with-integrated-storage-exposed-to-authenticated-denial-of-service/33157 •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-43998 – vault: incorrect policy enforcement
https://notcve.org/view.php?id=CVE-2021-43998
30 Nov 2021 — HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0. Las políticas ACL templadas de HashiCorp Vault y Vault Enterprise 0.11.0 versiones hasta 1.7.5 y 1.8.4 siempre coincidían con el primer alias de entidad creado si presentaban var... • https://discuss.hashicorp.com/t/hcsec-2021-30-vaults-templated-acl-policies-matched-first-created-alias-per-entity-and-auth-backend/32132 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-42135
https://notcve.org/view.php?id=CVE-2021-42135
11 Oct 2021 — HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials. HashiCorp Vault y Vault Enterprise versiones 1.8.x a 1.8.4, pueden tener una interacción inesperada entre las políticas relacionadas con glob y el motor de secre... • https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards • CWE-269: Improper Privilege Management •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-41802 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-41802
08 Oct 2021 — HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4. HashiCorp Vault y Vault Enterprise versiones hasta 1.7.4 y 1.8.3, permitían que un usuario con permiso de escritura en un ID de alias de entidad que compartía un accesorio de montaje con otro usuario adquiriera las políticas de e... • https://discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalation • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27668 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-27668
31 Aug 2021 — HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3. HashiCorp Vault Enterprise versiones 0.9.2 hasta 1.6.2, permitía la lectura de metadatos de licencia de DR secundarios sin autenticación. Corregido en versión 1.6.3 Multiple vulnerabilities have been discovered in HashiCorp Vault, the worst of which could result in denial of service. Versions less than 1.10.3 are affected. • https://discuss.hashicorp.com/t/hcsec-2021-05-vault-enterprise-s-dr-secondaries-exposed-license-metadata-without-authentication/21427 • CWE-306: Missing Authentication for Critical Function •
CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38553 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-38553
13 Aug 2021 — HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0. HashiCorp Vault y Vault Enterprise versiones 1.4.0 hasta 1.7.3, inicializaban un archivo de base de datos subyacente asociado con la funcionalidad Integrated Storage con permisos de sistema de archivos excesivamente amplios. Corregido en Vault y Vault Enterprise versión 1.8.0. ... • https://discuss.hashicorp.com/t/hcsec-2021-20-vault-s-integrated-storage-backend-database-file-may-have-excessively-broad-permissions/28168 • CWE-281: Improper Preservation of Permissions •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38554 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-38554
13 Aug 2021 — HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. La interfaz de usuario de HashiCorp Vault y Vault Enterprise almacenaba erróneamente en caché y exponía los secretos visualizados por el usuario entre sesiones en un mismo navegador compartido. Corregido en versión 1.8.0 y en versiones pendientes 1.7.4 / 1.6.6. Multiple vulnerabilities have been discovered in HashiCorp Va... • https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 7.4EPSS: 3%CPEs: 6EXPL: 0CVE-2021-32923 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-32923
03 Jun 2021 — HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. HashiCorp Vault y Vault Enterprise permitían la renovación de los contratos de alquiler de tokens casi caducados y de los contratos de alquiler de secretos dinámicos (concretamente, los que estaban a menos de 1 segundo de... • https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603 • CWE-613: Insufficient Session Expiration •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-27400
https://notcve.org/view.php?id=CVE-2021-27400
22 Apr 2021 — HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1 Las integraciones de HashiCorp Vault y Vault Enterprise Cassandra (backend de almacenamiento y plugin del motor de secretos de la base de datos) no comprobaban los certificados TLS al conectarse a los clústeres de Cassandra. Corregido en 1.6.4 y 1.7.1 • https://discuss.hashicorp.com/t/hcsec-2021-10-vault-s-cassandra-integrations-did-not-validate-tls-certificates/23463 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-29653
https://notcve.org/view.php?id=CVE-2021-29653
22 Apr 2021 — HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1. HashiCorp Vault y Vault Enterprise versiones 1.5.1 y posteriores, bajo determinadas circunstancias, pueden excluir certificados revocados pero no vencidos de la CRL. Corregido en versiones 1.5.8, 1.6.4 y 1.7.1 • https://discuss.hashicorp.com/t/hcsec-2021-09-vault-s-pki-engine-crl-may-exclude-revoked-but-unexpired-certificates-after-tidy/23461/2 • CWE-295: Improper Certificate Validation •