CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-42135
https://notcve.org/view.php?id=CVE-2021-42135
11 Oct 2021 — HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials. HashiCorp Vault y Vault Enterprise versiones 1.8.x a 1.8.4, pueden tener una interacción inesperada entre las políticas relacionadas con glob y el motor de secre... • https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards • CWE-269: Improper Privilege Management •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-41802 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-41802
08 Oct 2021 — HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4. HashiCorp Vault y Vault Enterprise versiones hasta 1.7.4 y 1.8.3, permitían que un usuario con permiso de escritura en un ID de alias de entidad que compartía un accesorio de montaje con otro usuario adquiriera las políticas de e... • https://discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalation • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27668 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-27668
31 Aug 2021 — HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3. HashiCorp Vault Enterprise versiones 0.9.2 hasta 1.6.2, permitía la lectura de metadatos de licencia de DR secundarios sin autenticación. Corregido en versión 1.6.3 Multiple vulnerabilities have been discovered in HashiCorp Vault, the worst of which could result in denial of service. Versions less than 1.10.3 are affected. • https://discuss.hashicorp.com/t/hcsec-2021-05-vault-enterprise-s-dr-secondaries-exposed-license-metadata-without-authentication/21427 • CWE-306: Missing Authentication for Critical Function •
CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38553 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-38553
13 Aug 2021 — HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0. HashiCorp Vault y Vault Enterprise versiones 1.4.0 hasta 1.7.3, inicializaban un archivo de base de datos subyacente asociado con la funcionalidad Integrated Storage con permisos de sistema de archivos excesivamente amplios. Corregido en Vault y Vault Enterprise versión 1.8.0. ... • https://discuss.hashicorp.com/t/hcsec-2021-20-vault-s-integrated-storage-backend-database-file-may-have-excessively-broad-permissions/28168 • CWE-281: Improper Preservation of Permissions •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38554 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-38554
13 Aug 2021 — HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. La interfaz de usuario de HashiCorp Vault y Vault Enterprise almacenaba erróneamente en caché y exponía los secretos visualizados por el usuario entre sesiones en un mismo navegador compartido. Corregido en versión 1.8.0 y en versiones pendientes 1.7.4 / 1.6.6. Multiple vulnerabilities have been discovered in HashiCorp Va... • https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 7.4EPSS: 3%CPEs: 6EXPL: 0CVE-2021-32923 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-32923
03 Jun 2021 — HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. HashiCorp Vault y Vault Enterprise permitían la renovación de los contratos de alquiler de tokens casi caducados y de los contratos de alquiler de secretos dinámicos (concretamente, los que estaban a menos de 1 segundo de... • https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603 • CWE-613: Insufficient Session Expiration •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-27400
https://notcve.org/view.php?id=CVE-2021-27400
22 Apr 2021 — HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1 Las integraciones de HashiCorp Vault y Vault Enterprise Cassandra (backend de almacenamiento y plugin del motor de secretos de la base de datos) no comprobaban los certificados TLS al conectarse a los clústeres de Cassandra. Corregido en 1.6.4 y 1.7.1 • https://discuss.hashicorp.com/t/hcsec-2021-10-vault-s-cassandra-integrations-did-not-validate-tls-certificates/23463 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-29653
https://notcve.org/view.php?id=CVE-2021-29653
22 Apr 2021 — HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1. HashiCorp Vault y Vault Enterprise versiones 1.5.1 y posteriores, bajo determinadas circunstancias, pueden excluir certificados revocados pero no vencidos de la CRL. Corregido en versiones 1.5.8, 1.6.4 y 1.7.1 • https://discuss.hashicorp.com/t/hcsec-2021-09-vault-s-pki-engine-crl-may-exclude-revoked-but-unexpired-certificates-after-tidy/23461/2 • CWE-295: Improper Certificate Validation •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3024 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-3024
01 Feb 2021 — HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. HashiCorp Vault y Vault Enterprise revelaron la dirección IP interna del nodo de Vault al responder a algunas peticiones HTTP no válidas y no autenticadas. Corregido en las versiones 1.6.2 y 1.5.7 Multiple vulnerabilities have been discovered in HashiCorp Vault, the worst of which could result in denial of service. Versions less... • https://discuss.hashicorp.com/t/hcsec-2021-02-vault-api-endpoint-exposed-internal-ip-address-without-authentication/20334 •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-25594 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2020-25594
01 Feb 2021 — HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. HashiCorp Vault y Vault Enterprise permitieron la enumeración de rutas de montaje de Secrets Engine por medio de peticiones HTTP no autenticadas. Corregido en las versiones 1.6.2 y 1.5.7 Multiple vulnerabilities have been discovered in HashiCorp Vault, the worst of which could result in denial of service. Versions less than 1.10.3 are affected. • https://discuss.hashicorp.com/t/hcsec-2021-03-vault-api-endpoint-allowed-enumeration-of-secrets-engine-mount-paths-without-authentication/20336 •