Page 7 of 162 results (0.009 seconds)

CVSS: 7.4EPSS: 0%CPEs: 3EXPL: 0

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1. • https://discuss.hashicorp.com/t/hcsec-2023-25-consul-jwt-auth-in-l7-intentions-allow-for-mismatched-service-identity-and-jwt-providers/57004 • CWE-266: Incorrect Privilege Assignment CWE-285: Improper Authorization •

CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5. A flaw was found in the HashiCorp Vault. The Vault and Vault Enterprise (“Vault”) LDAP auth method allows unauthenticated users to potentially enumerate valid accounts in the configured LDAP system by observing the response error when querying usernames. • https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714 https://access.redhat.com/security/cve/CVE-2023-3462 https://bugzilla.redhat.com/show_bug.cgi?id=2228020 • CWE-203: Observable Discrepancy •

CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 0

An unhandled error in Vault Enterprise's namespace creation may cause the Vault process to crash, potentially resulting in denial of service. Fixed in 1.14.1, 1.13.5, and 1.12.9. • https://discuss.hashicorp.com/t/hcsec-2023-23-vault-enterprise-namespace-creation-may-lead-to-denial-of-service/56617 • CWE-248: Uncaught Exception CWE-703: Improper Check or Handling of Exceptional Conditions CWE-755: Improper Handling of Exceptional Conditions •

CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0

HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Fixed in 1.6.0, 1.5.7, and 1.4.1. • https://discuss.hashicorp.com/t/hcsec-2023-22-nomad-search-api-leaks-information-about-csi-plugins/56272 • CWE-266: Incorrect Privilege Assignment CWE-862: Missing Authorization •

CVSS: 3.4EPSS: 0%CPEs: 4EXPL: 0

HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11. • https://discuss.hashicorp.com/t/hcsec-2023-21-nomad-caller-acl-tokens-secret-id-is-exposed-to-sentinel/56271 • CWE-201: Insertion of Sensitive Information Into Sent Data CWE-668: Exposure of Resource to Wrong Sphere •