CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-0475 – Go-Getter Vulnerable to Decompression Bombs
https://notcve.org/view.php?id=CVE-2023-0475
16 Feb 2023 — HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0. A flaw was found in the HashiCorp go-getter package. Affected versions of the HashiCorp go-getter package are vulnerable to a denial of service via a malicious compressed archive. The OpenShift Security Profiles Operator v0.7.0 is now available. • https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125 • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0690 – Boundary Workers Store Rotated Credentials in Plaintext Even When a Key Management Service Configured
https://notcve.org/view.php?id=CVE-2023-0690
08 Feb 2023 — HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk. This issue is fixed in version 0.12.0. HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with... • https://discuss.hashicorp.com/t/hcsec-2023-03-boundary-workers-store-rotated-credentials-in-plaintext-even-when-key-management-service-configured/49907 • CWE-311: Missing Encryption of Sensitive Data CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14802
https://notcve.org/view.php?id=CVE-2019-14802
26 Dec 2022 — HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template. HashiCorp Nomad 0.5.0 a 0.9.4 (corregido en 0.9.5) revela variables de entorno no deseadas en la tarea de renderizado durante el renderizado de la plantilla, también conocido como GHSA-6hv3-7c34-4hx8. Esto se aplica a nomad/client/allocrunner/taskrunner/template. • https://advisories.gitlab.com/advisory/advgo_github_com_hashicorp_nomad_client_allocrunner_taskrunner_template_GMS_2022_818.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-3920 – Consul Peering Imported Nodes/Services Leak
https://notcve.org/view.php?id=CVE-2022-3920
15 Nov 2022 — HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0. HashiCorp Consul y Consul Enterprise 1.13.0 hasta 1.13.3 no filtran los nodos y servicios importados del filtrado de clústeres para los endpoints HTTP o RPC utilizados por la interfaz de usuario. Se corrigió en la versión 1.14.0. • https://discuss.hashicorp.com/t/hcsec-2022-28-consul-cluster-peering-leaks-imported-nodes-services-information/46946 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2022-3867 – Nomad Event Stream Subscriber Using a Token with TTL Receives Updates Until Garbage Collected
https://notcve.org/view.php?id=CVE-2022-3867
10 Nov 2022 — HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2. Los suscriptores de flujo de eventos de HashiCorp Nomad y Nomad Enterprise 1.4.0 hasta 1.4.1 que usan un token con TTL reciben actualizaciones hasta que se recolecta la basura del token. Corregido en 1.4.2. • https://discuss.hashicorp.com/t/hcsec-2022-26-nomad-s-event-stream-subscriber-using-acl-token-with-ttl-receive-updates-until-garbage-collected/46168 • CWE-613: Insufficient Session Expiration •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-3866 – Nomad Workload Identity Token Can List Non-sensitive Metadata for Paths Under nomad/
https://notcve.org/view.php?id=CVE-2022-3866
10 Nov 2022 — HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2. El token de identidad de carga de trabajo de HashiCorp Nomad y Nomad Enterprise 1.4.0 hasta 1.4.1 puede enumerar metadatos no confidenciales para rutas en nomad/ que pertenecen a otros trabajos en el mismo espacio de nombres. Corregido en 1.4.2. • https://discuss.hashicorp.com/t/hcsec-2022-25-nomad-s-workload-identity-token-can-list-non-sensitive-metadata-for-nomad-paths/46167 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2022-41316 – vault: insufficient certificate revocation list checking
https://notcve.org/view.php?id=CVE-2022-41316
12 Oct 2022 — HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10. El método de autenticación de certificados TLS de HashiCorp Vault y Vault Enterprise no cargaba inicialmente la CRL configurada opcionalmente y emitida por la CA del rol en la memoria al iniciarse, resultando ... • https://discuss.hashicorp.com • CWE-295: Improper Certificate Validation •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-41606
https://notcve.org/view.php?id=CVE-2022-41606
11 Oct 2022 — HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0. Los trabajos de HashiCorp Nomad y Nomad Enterprise versiones 1.0.2 hasta 1.2.12, y 1.3.5, enviados con una estrofa de artefacto usando URLs S3 o GCS no válidas pueden ser usados para bloquear los agentes cliente. Corregido en versiones 1.2.13, 1.3.6 y 1.4.0 • https://discuss.hashicorp.com • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-42717
https://notcve.org/view.php?id=CVE-2022-42717
11 Oct 2022 — An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation, non-privileged users on the host can leverage a wildcard in the sudoers configuration to execute arbitrary commands as root. Se ha detectado un problema en Hashicorp Packer versiones anteriores a 2.3.1. La configuración de sudoers recomendada para Vagrant en Linux es insegura. • https://discuss.hashicorp.com/t/hcsec-2022-23-vagrant-nfs-sudoers-configuration-allows-for-local-privilege-escalation/45423 • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36182 – Hashicorp Boundary Clickjacking
https://notcve.org/view.php?id=CVE-2022-36182
07 Oct 2022 — Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site. Hashicorp Boundary v0.8.0 es vulnerable a Clickjacking, que permite la interceptación de credenciales de inicio de sesión, la redirección de usuarios a sitios maliciosos o hacer que los usuarios realicen acciones maliciosas en el sitio. Hashicorp Boundary versions prior to 0.11.0 suffer from a click... • https://owasp.org/www-community/attacks/Clickjacking • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •