CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-42135
https://notcve.org/view.php?id=CVE-2021-42135
11 Oct 2021 — HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials. HashiCorp Vault y Vault Enterprise versiones 1.8.x a 1.8.4, pueden tener una interacción inesperada entre las políticas relacionadas con glob y el motor de secre... • https://discuss.hashicorp.com/t/hcsec-2021-28-vaults-google-cloud-secrets-engine-policies-with-globs-may-provide-additional-privileges-in-vault-1-8-0-onwards • CWE-269: Improper Privilege Management •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-41802 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-41802
08 Oct 2021 — HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4. HashiCorp Vault y Vault Enterprise versiones hasta 1.7.4 y 1.8.3, permitían que un usuario con permiso de escritura en un ID de alias de entidad que compartía un accesorio de montaje con otro usuario adquiriera las políticas de e... • https://discuss.hashicorp.com/t/hcsec-2021-27-vault-merging-multiple-entity-aliases-for-the-same-mount-may-allow-privilege-escalation • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38553 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-38553
13 Aug 2021 — HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0. HashiCorp Vault y Vault Enterprise versiones 1.4.0 hasta 1.7.3, inicializaban un archivo de base de datos subyacente asociado con la funcionalidad Integrated Storage con permisos de sistema de archivos excesivamente amplios. Corregido en Vault y Vault Enterprise versión 1.8.0. ... • https://discuss.hashicorp.com/t/hcsec-2021-20-vault-s-integrated-storage-backend-database-file-may-have-excessively-broad-permissions/28168 • CWE-281: Improper Preservation of Permissions •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38554 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-38554
13 Aug 2021 — HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. La interfaz de usuario de HashiCorp Vault y Vault Enterprise almacenaba erróneamente en caché y exponía los secretos visualizados por el usuario entre sesiones en un mismo navegador compartido. Corregido en versión 1.8.0 y en versiones pendientes 1.7.4 / 1.6.6. Multiple vulnerabilities have been discovered in HashiCorp Va... • https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2015-5711
https://notcve.org/view.php?id=CVE-2015-5711
29 Sep 2015 — TIBCO Managed File Transfer Internet Server before 7.2.5, Managed File Transfer Command Center before 7.2.5, Slingshot before 1.9.4, and Vault before 2.0.1 allow remote authenticated users to obtain sensitive information via a crafted HTTP request. Vulnerabilidad en TIBCO Managed File Transfer Internet Server en versiones anteriores a 7.2.5, Managed File Transfer Command Center en versiones anteriores a 7.2.5, Slingshot en versiones anteriores a 1.9.4 y Vault en versiones anteriores a 2.0.1, permite a usuar... • http://www.securitytracker.com/id/1033678 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •