Filtered by vendor Hashicorp
Subscriptions
Total
154 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-40186 | 2 Hashicorp, Redhat | 2 Vault, Openshift Data Foundation | 2025-05-27 | 9.1 Critical |
| An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault. | ||||
| CVE-2021-41803 | 1 Hashicorp | 1 Consul | 2025-05-27 | 7.1 High |
| HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2." | ||||
| CVE-2022-40716 | 1 Hashicorp | 1 Consul | 2025-05-27 | 6.5 Medium |
| HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2." | ||||
| CVE-2022-41606 | 1 Hashicorp | 1 Nomad | 2025-05-20 | 6.5 Medium |
| HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0. | ||||
| CVE-2022-42717 | 2 Hashicorp, Linux | 2 Vagrant, Linux Kernel | 2025-05-20 | 7.8 High |
| An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation, non-privileged users on the host can leverage a wildcard in the sudoers configuration to execute arbitrary commands as root. | ||||
| CVE-2025-3744 | 1 Hashicorp | 1 Nomad | 2025-05-15 | 7.6 High |
| Nomad Enterprise (“Nomad”) jobs using the policy override option are bypassing the mandatory sentinel policies. This vulnerability, identified as CVE-2025-3744, is fixed in Nomad Enterprise 1.10.1, 1.9.9, and 1.8.13. | ||||
| CVE-2022-41316 | 2 Hashicorp, Redhat | 3 Vault, Openshift, Openshift Data Foundation | 2025-05-15 | 5.3 Medium |
| HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10. | ||||
| CVE-2022-36182 | 1 Hashicorp | 1 Boundary | 2025-05-07 | 6.1 Medium |
| Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site. | ||||
| CVE-2022-3866 | 1 Hashicorp | 1 Nomad | 2025-05-01 | 5 Medium |
| HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2. | ||||
| CVE-2022-3867 | 1 Hashicorp | 1 Nomad | 2025-05-01 | 2.7 Low |
| HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2. | ||||
| CVE-2022-3920 | 1 Hashicorp | 1 Consul | 2025-04-29 | 5.3 Medium |
| HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0. | ||||
| CVE-2017-16001 | 1 Hashicorp | 1 Vagrant | 2025-04-20 | N/A |
| In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.1, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. | ||||
| CVE-2017-7642 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2025-04-20 | N/A |
| The sudo helper in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.21 allows local users to gain root privileges by leveraging failure to verify the path to the encoded ruby script or scrub the PATH variable. | ||||
| CVE-2017-15884 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2025-04-20 | N/A |
| In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.0, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. | ||||
| CVE-2017-11741 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2025-04-20 | N/A |
| HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo helper scripts, allows local users to execute arbitrary code with root privileges by overwriting one of the scripts. | ||||
| CVE-2017-16777 | 1 Hashicorp | 1 Vagrant | 2025-04-20 | N/A |
| If HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.3 is installed but VMware Fusion is not, a local attacker can create a fake application directory and exploit the suid sudo helper in order to escalate to root. | ||||
| CVE-2017-12579 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2025-04-20 | N/A |
| An insecure suid wrapper binary in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 4.0.24 and earlier allows a non-root user to obtain a root shell. | ||||
| CVE-2019-14802 | 1 Hashicorp | 1 Nomad | 2025-04-14 | 5.3 Medium |
| HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template. | ||||
| CVE-2023-0690 | 1 Hashicorp | 1 Boundary | 2025-03-24 | 5 Medium |
| HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk. This issue is fixed in version 0.12.0. | ||||
| CVE-2023-0475 | 2 Hashicorp, Redhat | 2 Go-getter, Openshift | 2025-03-18 | 4.2 Medium |
| HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0. | ||||