Skip to main content

Hashicorp

344 CVEs vendor

Monthly

CVE-2025-31101 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vault Group Pty Ltd VaultRE Contact Form 7 allows Stored XSS.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp XSS
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2025-1636 MEDIUM This Month

Exposure of sensitive information in My Personal Credentials password history component in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows an authenticated user to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Hashicorp Information Disclosure Remote Desktop Manager Windows
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-43779 HIGH POC This Month

An information disclosure vulnerability exists in the Vault API functionality of ClearML Enterprise Server 3.22.5-1533. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Clearml Enterprise Server
NVD
CVSS 3.1
7.7
EPSS
0.3%
CVE-2024-57967 MEDIUM Monitor

PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 has potentially elevated privileges in LDAP mapping. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. No vendor patch available.

Hashicorp Information Disclosure
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2024-54840 MEDIUM Monitor

PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 does not properly address environment issues that can contribute to Host header injection. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Hashicorp Code Injection Privileged Access Manager
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2025-24459 MEDIUM Monitor

In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 19.9% and no vendor patch available.

Hashicorp XSS Teamcity
NVD
CVSS 3.1
4.6
EPSS
19.9%
CVE-2025-0377 Go HIGH PATCH This Month

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Go Slug Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-56802 HIGH This Week

Tapir is a private Terraform registry. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2024-11672 MEDIUM This Month

Incorrect authorization in the add permission component in Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows an authenticated malicious user to bypass the "Add" permission. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Microsoft Remote Desktop Manager
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2024-10492 Maven LOW PATCH Monitor

A vulnerability was found in Keycloak. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Hashicorp
NVD GitHub VulDB
CVSS 3.0
2.7
EPSS
0.1%
CVE-2024-53915 CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24405. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-53914 CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24344. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-53913 CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24343. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-53912 CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24341. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-53911 CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24339. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-53910 CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24336. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-53909 CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24334. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp Enterprise Vault
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-52944 MEDIUM This Month

An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24698. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp XSS Enterprise Vault
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-52943 MEDIUM This Month

An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24697. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp XSS Enterprise Vault
NVD
CVSS 3.1
5.4
EPSS
1.1%
CVE-2024-52942 MEDIUM This Month

An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24696. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp XSS Enterprise Vault
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-52941 MEDIUM This Month

An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24695. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp XSS
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-52009 Go HIGH POC PATCH This Week

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Atlantis
NVD GitHub
CVSS 4.0
8.5
EPSS
0.7%
CVE-2024-8185 Go HIGH PATCH This Week

Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Denial Of Service Vault Openbao
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-9180 Go HIGH PATCH This Week

A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Hashicorp Openbao Vault
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2024-45744 MEDIUM This Month

TopQuadrant TopBraid EDG stores external credentials insecurely. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Topbraid Edg
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-7594 Go HIGH PATCH This Week

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault Openbao
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2024-47083 HIGH This Week

Power Platform Terraform Provider allows managing environments and other resources within Power Platform. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Power Platform Terraform Provider
NVD GitHub
CVSS 4.0
8.8
EPSS
1.6%
CVE-2024-8775 PyPI MEDIUM PATCH This Month

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Information Disclosure
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2024-8365 Go MEDIUM PATCH This Month

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-43808 MEDIUM This Month

In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-7625 Go MEDIUM PATCH This Month

In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.

Hashicorp Information Disclosure Nomad
NVD
CVSS 3.1
5.8
EPSS
0.3%
CVE-2024-42219 HIGH This Week

1Password 8 before 8.10.36 for macOS allows local attackers to exfiltrate vault items because XPC inter-process communication validation is insufficient. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Apple Hashicorp Information Disclosure 1Password
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2024-42218 MEDIUM This Month

1Password 8 before 8.10.38 for macOS allows local attackers to exfiltrate vault items by bypassing macOS-specific security mechanisms. Rated medium severity (CVSS 4.7). No vendor patch available.

Authentication Bypass Apple Hashicorp 1Password
NVD
CVSS 3.1
4.7
EPSS
0.2%
CVE-2024-6717 Go HIGH PATCH This Week

HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the allocation directory. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Nomad
NVD
CVSS 3.1
8.6
EPSS
0.4%
CVE-2024-6468 Go HIGH PATCH This Week

Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Denial Of Service Vault
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-6257 Go HIGH PATCH This Week

HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Hashicorp Command Injection Go Getter
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2024-6057 CRITICAL Act Now

Improper authentication in the vault password feature in Devolutions Remote Desktop Manager 2024.1.31.0 and earlier allows an attacker that has compromised an access to an RDM instance to bypass the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Remote Desktop Manager
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-5798 Go HIGH PATCH This Week

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Vault
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-3744 Go MEDIUM PATCH This Month

A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Microsoft
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-4536 Maven MEDIUM PATCH This Month

In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, in the EDC Connector component ( https://github.com/eclipse-edc/Connector ), an attacker might obtain OAuth2 client secrets from the. Rated medium severity (CVSS 5.3).

Hashicorp Information Disclosure Edc Connector
NVD GitHub
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-34404 MEDIUM This Month

A vulnerability was discovered in the Alta Recovery Vault feature of Veritas NetBackup before 10.4 and NetBackup Appliance before 5.4. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp
NVD
CVSS 3.1
6.8
EPSS
0.4%
CVE-2024-2877 MEDIUM This Month

Vault Enterprise, when configured with performance standby nodes and a configured audit device, will inadvertently log request headers on the standby node. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-3817 Go CRITICAL PATCH Act Now

HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Hashicorp Go Getter
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-3545 MEDIUM This Month

Improper permission handling in the vault offline cache feature in Devolutions Remote Desktop Manager 2024.1.20 and earlier on windows and Devolutions Server 2024.1.8 and earlier allows an attacker. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Microsoft Devolutions Server Remote Desktop Manager
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-2660 Go MEDIUM PATCH This Month

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD
CVSS 3.1
6.8
EPSS
0.3%
CVE-2024-2921 CRITICAL Act Now

Improper access control in PAM vault permissions in Devolutions Server 2024.1.10.0 and earlier allows an authenticated user with access to the PAM to access unauthorized PAM entries via a specific. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Devolutions Server
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-24272 HIGH POC This Week

An issue in iTop DualSafe Password Manager & Digital Vault before 1.4.24 allows a local attacker to obtain sensitive information via leaked credentials as plaintext in a log file that can be accessed. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Dualsafe Password Manager
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-27918 Go HIGH PATCH This Week

Coder allows oragnizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Hashicorp Coder
NVD GitHub
CVSS 3.1
8.2
EPSS
1.0%
CVE-2024-22167 HIGH This Week

A potential DLL hijacking vulnerability in the SanDisk PrivateAccess application for Windows that could lead to arbitrary code execution in the context of the system user. Rated high severity (CVSS 7.9), this vulnerability is low attack complexity. No vendor patch available.

RCE Hashicorp Microsoft
NVD
CVSS 3.1
7.9
EPSS
0.2%
CVE-2024-2048 Go CRITICAL PATCH Act Now

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Vault Openbao
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-22473 HIGH This Week

TRNG is used before initialization by ECDSA signing driver when exiting EM2/EM3 on Virtual Secure Vault (VSE) devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Gecko Software Development Kit
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-20911 LOW Monitor

Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Hashicorp Oracle Audit Vault And Database Firewall
NVD
CVSS 3.1
2.6
EPSS
0.3%
CVE-2024-20909 HIGH This Week

Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Oracle Audit Vault And Database Firewall
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-1329 Go HIGH PATCH This Week

HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Nomad
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-0831 Go MEDIUM POC PATCH This Month

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Vault
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2024-20924 HIGH PATCH This Week

Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable.

Hashicorp Information Disclosure Oracle Audit Vault And Database Firewall
NVD
CVSS 3.1
7.6
EPSS
0.4%
CVE-2024-20912 LOW PATCH Monitor

Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Hashicorp Oracle Audit Vault And Database Firewall
NVD
CVSS 3.1
2.7
EPSS
0.3%
CVE-2024-20910 LOW PATCH Monitor

Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Rated low severity (CVSS 3.0), this vulnerability is remotely exploitable. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Hashicorp Information Disclosure Oracle Audit Vault And Database Firewall
NVD
CVSS 3.1
3.0
EPSS
0.3%
CVE-2023-5138 MEDIUM This Month

Glitch detection is not enabled by default for the CortexM33 core in Silicon Labs secure vault high parts EFx32xG2xB, except EFR32xG21B. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Gecko Software Development Kit
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2023-6337 Go HIGH PATCH This Week

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Hashicorp Vault
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-5954 Go HIGH PATCH This Week

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Vault
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-45189 MEDIUM PATCH This Month

A vulnerability in IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.10, 23.0.0 through 23.0.10 may result in access to client vault credentials. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Hashicorp IBM Robotic Process Automation For Cloud Pak
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-5834 Go HIGH PATCH This Week

HashiCorp Vagrant's Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Hashicorp Vagrant
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2023-5077 Go HIGH PATCH This Week

The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Hashicorp Vault
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2023-3775 MEDIUM This Month

A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace,. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Hashicorp Vault
NVD
CVSS 3.1
4.9
EPSS
0.5%
CVE-2023-43637 Go HIGH PATCH This Week

Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Eve
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2023-43634 Go HIGH PATCH This Week

When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Eve
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2023-43633 Go HIGH PATCH This Week

On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Eve
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2023-43631 Go HIGH PATCH This Week

On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Edge Virtualization Engine
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2023-43636 Go HIGH PATCH This Week

In EVE OS, the “measured boot” mechanism prevents a compromised device from accessing the encrypted data located in the vault. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Edge Virtualization Engine
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2023-43635 Go HIGH PATCH This Week

Vault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a PCR locking mechanism. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Edge Virtualization Engine
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2023-43630 Go HIGH PATCH This Week

PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but due to the change that was implemented in commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Edge Virtualization Engine
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2023-4680 Go MEDIUM PATCH This Month

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Hashicorp Vault
NVD
CVSS 3.1
6.8
EPSS
0.4%
CVE-2023-4782 Go HIGH PATCH This Week

Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the `init` operation if run on maliciously crafted Terraform configuration. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Path Traversal Hashicorp Terraform
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2023-4417 MEDIUM This Month

Improper access controls in the entry duplication component in Devolutions Remote Desktop Manager 2023.2.19 and earlier versions on Windows allows an authenticated user, under specific circumstances,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Hashicorp Remote Desktop Manager
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-3518 Go HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp HashiCorp Consul
NVD
CVSS 3.1
7.3
EPSS
0.4%
CVE-2023-3462 Go MEDIUM PATCH This Month

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Vault
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2023-3774 MEDIUM This Month

An unhandled error in Vault Enterprise's namespace creation may cause the Vault process to crash, potentially resulting in denial of service. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Hashicorp Vault
NVD
CVSS 3.1
4.9
EPSS
0.6%
CVE-2023-3300 Go MEDIUM PATCH This Month

HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Nomad
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2023-3299 Go LOW PATCH Monitor

HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Nomad
NVD
CVSS 3.1
2.7
EPSS
0.5%
CVE-2023-3072 Go LOW PATCH Monitor

HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Nomad
NVD
CVSS 3.1
3.8
EPSS
0.4%
CVE-2023-34236 Go MEDIUM POC PATCH This Month

Weave GitOps Terraform Controller (aka Weave TF-controller) is a controller for Flux to reconcile Terraform resources in a GitOps way. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Authentication Bypass Hashicorp Gitops Terraform Controller
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2023-3114 HIGH This Week

Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Terraform Enterprise
NVD
CVSS 3.1
7.7
EPSS
0.4%
CVE-2023-2121 Go MEDIUM PATCH This Month

Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Hashicorp Vault
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-33001 Maven HIGH This Week

Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Hashicorp Hashicorp Vault
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-2197 LOW Monitor

HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. Rated low severity (CVSS 2.5). No vendor patch available.

Oracle Information Disclosure Hashicorp Vault
NVD
CVSS 3.1
2.5
EPSS
0.1%
CVE-2023-30618 Ruby LOW PATCH Monitor

Kitchen-Terraform provides a set of Test Kitchen plugins which enable the use of Test Kitchen to converge a Terraform configuration and verify the resulting infrastructure systems with InSpec. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity.

Information Disclosure Hashicorp Kitchen Terraform
NVD GitHub
CVSS 3.1
3.3
EPSS
0.2%
CVE-2023-30531 Maven MEDIUM This Month

Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form, increasing the potential for attackers to observe and capture it. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Hashicorp Consul Kv Builder
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-30530 Maven MEDIUM This Month

Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Hashicorp Consul Kv Builder
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2023-30515 Maven HIGH This Week

Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Hashicorp Thycotic Devops Secrets Vault
NVD
CVSS 3.1
7.5
EPSS
0.4%
EPSS 0% CVSS 5.9
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vault Group Pty Ltd VaultRE Contact Form 7 allows Stored XSS.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Exposure of sensitive information in My Personal Credentials password history component in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows an authenticated user to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Hashicorp Information Disclosure +2
NVD
EPSS 0% CVSS 7.7
HIGH POC This Month

An information disclosure vulnerability exists in the Vault API functionality of ClearML Enterprise Server 3.22.5-1533. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Clearml Enterprise Server
NVD
EPSS 0% CVSS 4.2
MEDIUM Monitor

PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 has potentially elevated privileges in LDAP mapping. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. No vendor patch available.

Hashicorp Information Disclosure
NVD
EPSS 0% CVSS 4.2
MEDIUM Monitor

PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 does not properly address environment issues that can contribute to Host header injection. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Hashicorp Code Injection Privileged Access Manager
NVD GitHub
EPSS 20% CVSS 4.6
MEDIUM Monitor

In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 19.9% and no vendor patch available.

Hashicorp XSS Teamcity
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Month

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Go Slug +2
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Tapir is a private Terraform registry. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM This Month

Incorrect authorization in the add permission component in Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows an authenticated malicious user to bypass the "Add" permission. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Microsoft +1
NVD
EPSS 0% CVSS 2.7
LOW PATCH Monitor

A vulnerability was found in Keycloak. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Hashicorp
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24405. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24344. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24343. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24341. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24339. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24336. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24334. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Hashicorp +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24698. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp XSS Enterprise Vault
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24697. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp XSS Enterprise Vault
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24696. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp XSS Enterprise Vault
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24695. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp XSS
NVD
EPSS 1% CVSS 8.5
HIGH POC PATCH This Week

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Atlantis
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Denial Of Service Vault +1
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Hashicorp Openbao +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

TopQuadrant TopBraid EDG stores external credentials insecurely. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Topbraid Edg
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault +1
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Power Platform Terraform Provider allows managing environments and other resources within Power Platform. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Power Platform Terraform Provider
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp XSS Teamcity
NVD
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.

Hashicorp Information Disclosure Nomad
NVD
EPSS 0% CVSS 7.8
HIGH This Week

1Password 8 before 8.10.36 for macOS allows local attackers to exfiltrate vault items because XPC inter-process communication validation is insufficient. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Apple Hashicorp Information Disclosure +1
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

1Password 8 before 8.10.38 for macOS allows local attackers to exfiltrate vault items by bypassing macOS-specific security mechanisms. Rated medium severity (CVSS 4.7). No vendor patch available.

Authentication Bypass Apple Hashicorp +1
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the allocation directory. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Nomad
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Denial Of Service Vault
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Hashicorp Command Injection +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Improper authentication in the vault password feature in Devolutions Remote Desktop Manager 2024.1.31.0 and earlier allows an attacker that has compromised an access to an RDM instance to bypass the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Remote Desktop Manager
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Vault
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Microsoft
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, in the EDC Connector component ( https://github.com/eclipse-edc/Connector ), an attacker might obtain OAuth2 client secrets from the. Rated medium severity (CVSS 5.3).

Hashicorp Information Disclosure Edc Connector
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

A vulnerability was discovered in the Alta Recovery Vault feature of Veritas NetBackup before 10.4 and NetBackup Appliance before 5.4. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Vault Enterprise, when configured with performance standby nodes and a configured audit device, will inadvertently log request headers on the standby node. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Hashicorp Go Getter
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Improper permission handling in the vault offline cache feature in Devolutions Remote Desktop Manager 2024.1.20 and earlier on windows and Devolutions Server 2024.1.8 and earlier allows an attacker. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Microsoft +2
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Improper access control in PAM vault permissions in Devolutions Server 2024.1.10.0 and earlier allows an authenticated user with access to the PAM to access unauthorized PAM entries via a specific. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Devolutions Server
NVD
EPSS 0% CVSS 7.1
HIGH POC This Week

An issue in iTop DualSafe Password Manager & Digital Vault before 1.4.24 allows a local attacker to obtain sensitive information via leaked credentials as plaintext in a log file that can be accessed. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Dualsafe Password Manager
NVD
EPSS 1% CVSS 8.2
HIGH PATCH This Week

Coder allows oragnizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Hashicorp Coder
NVD GitHub
EPSS 0% CVSS 7.9
HIGH This Week

A potential DLL hijacking vulnerability in the SanDisk PrivateAccess application for Windows that could lead to arbitrary code execution in the context of the system user. Rated high severity (CVSS 7.9), this vulnerability is low attack complexity. No vendor patch available.

RCE Hashicorp Microsoft
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Vault +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

TRNG is used before initialization by ECDSA signing driver when exiting EM2/EM3 on Virtual Secure Vault (VSE) devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Gecko Software Development Kit
NVD
EPSS 0% CVSS 2.6
LOW Monitor

Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Hashicorp Oracle +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Oracle +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Nomad
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Vault
NVD
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable.

Hashicorp Information Disclosure Oracle +1
NVD
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Hashicorp Oracle +1
NVD
EPSS 0% CVSS 3.0
LOW PATCH Monitor

Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall). Rated low severity (CVSS 3.0), this vulnerability is remotely exploitable. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Hashicorp Information Disclosure Oracle +1
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Glitch detection is not enabled by default for the CortexM33 core in Silicon Labs secure vault high parts EFx32xG2xB, except EFR32xG21B. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Gecko Software Development Kit
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Hashicorp Vault
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Vault
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A vulnerability in IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.10, 23.0.0 through 23.0.10 may result in access to client vault credentials. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Hashicorp IBM +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

HashiCorp Vagrant's Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Hashicorp +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Hashicorp +1
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace,. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Hashicorp Vault
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Eve
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Eve
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Eve
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Edge Virtualization Engine
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

In EVE OS, the “measured boot” mechanism prevents a compromised device from accessing the encrypted data located in the vault. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Edge Virtualization Engine
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Vault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a PCR locking mechanism. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Edge Virtualization Engine
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but due to the change that was implemented in commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Edge Virtualization Engine
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Hashicorp Vault
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the `init` operation if run on maliciously crafted Terraform configuration. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Path Traversal Hashicorp Terraform
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper access controls in the entry duplication component in Devolutions Remote Desktop Manager 2023.2.19 and earlier versions on Windows allows an authenticated user, under specific circumstances,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Hashicorp +1
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp HashiCorp Consul
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Vault
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

An unhandled error in Vault Enterprise's namespace creation may cause the Vault process to crash, potentially resulting in denial of service. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Hashicorp Vault
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP search API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Nomad
NVD
EPSS 0% CVSS 2.7
LOW PATCH Monitor

HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Nomad
NVD
EPSS 0% CVSS 3.8
LOW PATCH Monitor

HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL policies using a block without a label generates unexpected results. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Nomad
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Weave GitOps Terraform Controller (aka Weave TF-controller) is a controller for Flux to reconcile Terraform resources in a GitOps way. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Authentication Bypass Hashicorp +1
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Terraform Enterprise
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Hashicorp Vault
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Hashicorp +1
NVD
EPSS 0% CVSS 2.5
LOW Monitor

HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. Rated low severity (CVSS 2.5). No vendor patch available.

Oracle Information Disclosure Hashicorp +1
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Kitchen-Terraform provides a set of Test Kitchen plugins which enable the use of Test Kitchen to converge a Terraform configuration and verify the resulting infrastructure systems with InSpec. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity.

Information Disclosure Hashicorp Kitchen Terraform
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form, increasing the potential for attackers to observe and capture it. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Hashicorp +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Hashicorp +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Hashicorp +1
NVD
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy