Filtered by vendor Hashicorp
Subscribe
Total
150 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-41606 | 1 Hashicorp | 1 Nomad | 2025-05-20 | N/A | 6.5 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0. | |||||
| CVE-2022-42717 | 2 Hashicorp, Linux | 2 Vagrant, Linux Kernel | 2025-05-20 | N/A | 7.8 HIGH |
| An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation, non-privileged users on the host can leverage a wildcard in the sudoers configuration to execute arbitrary commands as root. | |||||
| CVE-2025-3744 | 1 Hashicorp | 1 Nomad | 2025-05-15 | N/A | 7.6 HIGH |
| Nomad Enterprise (“Nomad”) jobs using the policy override option are bypassing the mandatory sentinel policies. This vulnerability, identified as CVE-2025-3744, is fixed in Nomad Enterprise 1.10.1, 1.9.9, and 1.8.13. | |||||
| CVE-2022-41316 | 1 Hashicorp | 1 Vault | 2025-05-15 | N/A | 5.3 MEDIUM |
| HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10. | |||||
| CVE-2022-36182 | 1 Hashicorp | 1 Boundary | 2025-05-07 | N/A | 6.1 MEDIUM |
| Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site. | |||||
| CVE-2017-15884 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2025-04-20 | 6.9 MEDIUM | 7.0 HIGH |
| In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.0, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. | |||||
| CVE-2017-12579 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| An insecure suid wrapper binary in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 4.0.24 and earlier allows a non-root user to obtain a root shell. | |||||
| CVE-2017-16777 | 1 Hashicorp | 1 Vagrant | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| If HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.3 is installed but VMware Fusion is not, a local attacker can create a fake application directory and exploit the suid sudo helper in order to escalate to root. | |||||
| CVE-2017-16001 | 1 Hashicorp | 1 Vagrant | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.1, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. | |||||
| CVE-2017-7642 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| The sudo helper in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.21 allows local users to gain root privileges by leveraging failure to verify the path to the encoded ruby script or scrub the PATH variable. | |||||
| CVE-2017-11741 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2025-04-20 | 7.2 HIGH | 8.8 HIGH |
| HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo helper scripts, allows local users to execute arbitrary code with root privileges by overwriting one of the scripts. | |||||
| CVE-2019-14802 | 1 Hashicorp | 1 Nomad | 2025-04-14 | N/A | 5.3 MEDIUM |
| HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template. | |||||
| CVE-2023-2197 | 1 Hashicorp | 1 Vault | 2025-01-30 | N/A | 2.5 LOW |
| HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. Fixed in 1.13.2 | |||||
| CVE-2024-10086 | 1 Hashicorp | 1 Consul | 2025-01-10 | N/A | 6.1 MEDIUM |
| A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS. | |||||
| CVE-2024-10006 | 1 Hashicorp | 1 Consul | 2025-01-10 | N/A | 8.3 HIGH |
| A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. | |||||
| CVE-2024-10005 | 1 Hashicorp | 1 Consul | 2025-01-10 | N/A | 8.1 HIGH |
| A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. | |||||
| CVE-2024-6104 | 1 Hashicorp | 1 Retryablehttp | 2024-11-21 | N/A | 6.0 MEDIUM |
| go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. | |||||
| CVE-2024-1329 | 1 Hashicorp | 1 Nomad | 2024-11-21 | N/A | 7.7 HIGH |
| HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. This vulnerability, CVE-2024-1329, is fixed in Nomad 1.7.4, 1.6.7, and 1.5.14. | |||||
| CVE-2024-1052 | 1 Hashicorp | 1 Boundary | 2024-11-21 | N/A | 8.0 HIGH |
| Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application. | |||||
| CVE-2024-0831 | 1 Hashicorp | 1 Vault | 2024-11-21 | N/A | 4.5 MEDIUM |
| Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`. | |||||