RSS   Podatności dla 'Vault'   RSS

2021-11-30
 
CVE-2021-43998

CWE-732
 

 
HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

 
2021-08-31
 
CVE-2021-27668

CWE-287
 

 
HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.

 
2021-04-22
 
CVE-2021-29653

CWE-295
 

 
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.

 
 
CVE-2021-27400

CWE-295
 

 
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1

 
2021-02-01
 
CVE-2021-3282

CWE-287
 

 
HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.

 
 
CVE-2021-3024

NVD-CWE-noinfo
 

 
HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.

 
 
CVE-2020-25594

NVD-CWE-noinfo
 

 
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.

 
2020-12-17
 
CVE-2020-35453

CWE-20
 

 

 
 
CVE-2020-35192

CWE-306
 

 
The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.

 
 
CVE-2020-35177

CWE-200
 

 
HashiCorp Vault and Vault Enterprise allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.

 


Copyright 2022, cxsecurity.com

 

Back to Top