Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Vault
(Hashicorp)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 47 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-09-30 | CVE-2020-25816 | HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4. | Vault | 6.8 | ||
| 2020-12-17 | CVE-2020-35192 | The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | Vault | 9.8 | ||
| 2020-12-17 | CVE-2020-35177 | HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1. | Vault | 5.3 | ||
| 2020-12-17 | CVE-2020-35453 | HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1. | Vault | 5.3 | ||
| 2021-02-01 | CVE-2020-25594 | HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. | Vault | 5.3 | ||
| 2021-02-01 | CVE-2021-3024 | HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. | Vault | 5.3 | ||
| 2021-02-01 | CVE-2021-3282 | HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2. | Vault | 7.5 | ||
| 2021-04-22 | CVE-2021-27400 | HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1 | Vault | 7.5 | ||
| 2021-04-22 | CVE-2021-29653 | HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1. | Vault | 7.5 | ||
| 2021-06-03 | CVE-2021-32923 | HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2. | Vault | 7.4 |