Hashicorp Latest Vulnerabilities

November 7

Arbitrary Cross-Namespace Volume Creation Vulnerability

CVE-2024-10975

HashicorpNomad7.7HIGH

October 30

reflective XSS vulnerability found in Consul and Consul Enterprise

CVE-2024-10086

HashicorpConsul6.1MEDIUM

Bypassing HTTP Header Based Access Rules via L7 Traffic Intentions

CVE-2024-10006

HashicorpConsul5.8MEDIUM

Bypassing HTTP Request Path-Based Access Rules Through URL Paths in L7 Traffic

CVE-2024-10005

HashicorpConsul5.8MEDIUM

October 29

Vagrant Vulnerability Allows Unauthorized File System Writes

CVE-2024-10228

HashicorpVagrant3.3LOW

October 10

Root Privileges Escalation Vulnerability in Vault

CVE-2024-9180

HashicorpVault7.2HIGH

September 26

Vault SSH secrets engine vulnerability: unauthorized access via SSH certificates

CVE-2024-7594

HashicorpVault7.5HIGH

September 2

Vault Leaks AppRole Client Tokens And Accessor in Audit Log

CVE-2024-8365

HashicorpVault6.5MEDIUM

August 15

Nomad Archives Vulnerability: Write Access Outside Allocation Directory

CVE-2024-7625

HashicorpNomad5.8MEDIUM

July 23

Nomad Platform Vulnerable to Path Escape During Migration

CVE-2024-6717

HashicorpNomad7.7HIGH

June 25

Malicious Git Configuration Execution via go-getter Library

CVE-2024-6257

HashicorpShared Library8.4HIGH

June 24

Sensitive HTTP Basic Auth Credentials at Risk in go-retryablehttp Prior to 0.7.7

CVE-2024-6104

HashicorpShared Library5.5MEDIUM

June 12

Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims

CVE-2024-5798

HashicorpVault2.6LOW

April 30

Vault Enterprise Leaks Sensitive HTTP Request Headers in the Audit Log When Deployed With a Performance Standby Node

CVE-2024-2877

HashicorpVault Enterprise5.5MEDIUM

April 17

Git Injection Vulnerability Affects HashiCorp's go-getter Library

CVE-2024-3817

HashicorpShared Library9.8CRITICAL

April 4

OCSP Response Validation Fix for Vault and Vault Enterprise TLS Certificates

CVE-2024-2660

HashicorpVault6.4MEDIUM

March 4

Certificate Validation Bypass Vulnerability

CVE-2024-2048

HashicorpVault😄8.1HIGH

February 8

Nomad Client User Arbitrary File Write Vulnerability

CVE-2024-1329

HashicorpNomad7.5HIGH

February 5

TLS Certificate Tampering Vulnerability in Boundary Enterprise

CVE-2024-1052

HashicorpBoundary8HIGH

February 1

Vault May Expose Sensitive Information When Configuring An Audit Log Device

CVE-2024-0831

HashicorpVault6.5MEDIUM

December 8

Vault May be Vulnerable to a Denial of Service Through Memory Exhaustion When Handling Large HTTP Requests

CVE-2023-6337

HashiCorpVault7.5HIGH

November 9

Vault Requests Triggering Policy Checks May Lead To Unbounded Memory Consumption

CVE-2023-5954

HashiCorpVault7.5HIGH

October 27

Vagrant’s Windows Installer Allowed Directory Junction Write

CVE-2023-5834

HashicorpVagrant3.8LOW

September 29

Vault Enterprise's Sentinel RGP Policies Allowed For Cross-Namespace Denial of Service

CVE-2023-3775

HashicorpVault Enterprise4.9MEDIUM

Vault's Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets

CVE-2023-5077

HashicorpVault7.5HIGH

September 15

Vault's Transit Secrets Engine Allowed Nonce Specified without Convergent Encryption

CVE-2023-4680

HashicorpVault6.8MEDIUM

September 8

Terraform Allows Arbitrary File Write During Init Operation

CVE-2023-4782

HashicorpTerraform6.3MEDIUM

August 9

JWT Auth in L7 Intentions Allow For Mismatched Service Identity and JWT Providers for Access

CVE-2023-3518

HashicorpConsul7.4HIGH

July 31

Vault's LDAP Auth Method Allows for User Enumeration

CVE-2023-3462

HashicorpVault5.3MEDIUM

July 28

Vault Enterprise Namespace Creation May Lead to Denial of Service

CVE-2023-3774

HashicorpVault Enterprise4.9MEDIUM

July 20

Nomad ACL Policies without Label are Applied to Unexpected Resources

CVE-2023-3072

HashicorpNomad4.1MEDIUM

Nomad Search API Leaks Information About CSI Plugins

CVE-2023-3300

HashicorpNomad5.3MEDIUM

Nomad Caller ACL Token's Secret ID is Exposed to Sentinel

CVE-2023-3299

HashicorpNomad Enterprise3.4LOW

June 22

Terraform Enterprise Agent Pool Controls Allowed Unauthorized Workspaces To Target an Agent Pool

CVE-2023-3114

HashicorpTerraform Enterprise7.7HIGH

June 9

Vault’s KV Diff Viewer Allowed for HTML Injection

CVE-2023-2121

HashiCorpVault5.4MEDIUM

June 2

Consul Cluster Peering can Result in Denial of Service

CVE-2023-1297

HashiCorpConsul7.5HIGH

Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner

CVE-2023-2816

HashicorpConsul8.7HIGH

May 1

Vault Enterprise Vulnerable to Padding Oracle Attacks When Using a CBC-based Encryption Mechanism with a HSM

CVE-2023-2197

HashiCorpVault Enterprise2.5LOW

April 5

Nomad Unauthenticated Client Agent HTTP Request Privilege Escalation

CVE-2023-1782

HashiCorpNomad9.8CRITICAL

March 30

Vault PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata

CVE-2023-0665

HashiCorpVault6.5MEDIUM

Vault Vulnerable to SQL Injection When Configuring the Microsoft SQL Database Storage Backend

CVE-2023-0620

HashiCorpVault6.7MEDIUM

Vault Vulnerable to Cache-Timing Attacks During Seal and Unseal Operations

CVE-2023-25000

HashiCorpVault4.7MEDIUM

March 14

Nomad ACLs Can Not Deny Access to Workload's Own Variables

CVE-2023-1296

HashiCorpNomad5.3MEDIUM

Nomad Job Submitter Privilege Escalation Using Workload Identity

CVE-2023-1299

HashiCorpNomad8.8HIGH

March 11

Vault Fails to Verify if the AppRole SecretID Belongs to Role During a Destroy Operation

CVE-2023-24999

HashiCorpVault8.1HIGH

March 9

Consul Server Panic when Ingress and API Gateways Configured with Peering

CVE-2023-0845

HashiCorpConsul6.5MEDIUM

February 16

Nomad Client Vulnerable to Decompression Bombs in Artifact Block

CVE-2023-0821

HashiCorpNomad6.5MEDIUM

Go-Getter Vulnerable to Decompression Bombs

CVE-2023-0475

HashiCorpgo-getter6.5MEDIUM

February 8

Boundary Workers Store Rotated Credentials in Plaintext Even When a Key Management Service Configured

CVE-2023-0690

HashiCorpBoundary7.1HIGH

December 26

CVE-2019-14802

HashicorpNomad5.3MEDIUM

November 16

Consul Peering Imported Nodes/Services Leak

CVE-2022-3920

HashicorpConsul5.3MEDIUM

November 10

Nomad Event Stream Subscriber Using a Token with TTL Receives Updates Until Garbage Collected

CVE-2022-3867

HashicorpNomad2.7LOW

Nomad Workload Identity Token Can List Non-sensitive Metadata for Paths Under nomad/

CVE-2022-3866

HashicorpNomad5MEDIUM

October 27

CVE-2022-36182

HashicorpBoundary6.1MEDIUM

October 12

CVE-2022-41606

HashicorpNomad6.5MEDIUM

CVE-2022-41316

HashicorpVault5.3MEDIUM

October 11

CVE-2022-42717

HashicorpVagrant7.8HIGH

September 23

CVE-2022-40716

HashicorpConsul6.5MEDIUM

CVE-2021-41803

HashicorpConsul7.1HIGH

September 22

CVE-2022-40186

HashicorpVault9.1CRITICAL

September 1

CVE-2022-36130

HashicorpBoundary9.9CRITICAL

August 17

CVE-2022-38149

HashicorpConsul Template7.5HIGH

July 26

CVE-2022-36129

HashicorpVault9.1CRITICAL

June 2

CVE-2022-30324

HashicorpNomad9.8CRITICAL

May 25

CVE-2022-26945

HashicorpGo-getter9.8CRITICAL

CVE-2022-30321

HashicorpGo-getter8.6HIGH

CVE-2022-30322

HashicorpGo-getter8.6HIGH

CVE-2022-30323

HashicorpGo-getter8.6HIGH

May 17

CVE-2022-30689

HashicorpVault5.3MEDIUM

April 27

CVE-2022-29810

HashicorpGo-getter5.5MEDIUM

April 19

CVE-2022-29153

HashicorpConsul7.5HIGH

March 23

CVE-2021-44139

HashicorpSentinel7.5HIGH

March 10

CVE-2022-25243

HashicorpVault6.5MEDIUM

CVE-2022-25244

HashicorpVault6.5MEDIUM

February 28

CVE-2022-24685

HashicorpNomad7.5HIGH

February 25

CVE-2022-25374

HashicorpTerraform Enterprise7.5HIGH

February 24

CVE-2022-24687

HashicorpConsul6.5MEDIUM

February 17

CVE-2022-24683

HashicorpNomad7.5HIGH

February 15

CVE-2022-24684

HashicorpNomad6.5MEDIUM

February 14

CVE-2022-24686

HashicorpNomad5.9MEDIUM

December 17

CVE-2021-45042

HashicorpVault4.9MEDIUM

December 12

CVE-2021-41805

HashicorpConsul👾8.8HIGH

December 3

CVE-2021-43415

HashicorpNomad8.8HIGH

November 30

CVE-2021-43998

HashicorpVault6.5MEDIUM

October 11

CVE-2021-42135

HashicorpVault8.1HIGH

October 8

CVE-2021-41802

HashicorpVault2.9LOW

October 7

CVE-2021-41865

HashicorpNomad6.5MEDIUM

September 15

CVE-2021-40862

HashicorpTerraform Enterprise8.8HIGH

September 7

CVE-2021-38698

HashicorpConsul6.5MEDIUM

CVE-2021-37218

HashicorpNomad8.8HIGH

CVE-2021-37219

HashicorpConsul8.8HIGH

August 31

CVE-2021-27668

HashicorpVault5.3MEDIUM

August 13

CVE-2021-38553

HashicorpVault4.4MEDIUM

CVE-2021-38554

HashicorpVault5.3MEDIUM

July 20

CVE-2021-36230

HashicorpTerraform8.8HIGH

July 17

CVE-2021-36213

HashicorpConsul7.5HIGH

CVE-2021-32574

HashicorpConsul7.5HIGH

June 17

CVE-2021-32575

HashicorpNomad6.5MEDIUM

June 3

CVE-2021-32923

HashicorpVault7.4HIGH

May 7

CVE-2021-32074

HashicorpVault-action7.5HIGH