Skip to main content

Hashicorp

344 CVEs vendor

Monthly

CVE-2020-27587 MEDIUM POC This Month

Quick Heal Total Security before 19.0 allows attackers with local admin rights to obtain access to files in the File Vault via a brute-force attack on the password. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Brute Force Total Security
NVD
CVSS 3.1
6.7
EPSS
0.4%
CVE-2020-28348 Go MEDIUM PATCH This Month

HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Docker Path Traversal Nomad
NVD GitHub
CVSS 3.1
6.5
EPSS
1.6%
CVE-2020-28053 Go MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass HashiCorp Consul
NVD GitHub
CVSS 3.1
6.5
EPSS
1.4%
CVE-2020-13359 HIGH This Week

The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Gitlab Authentication Bypass
NVD
CVSS 3.1
7.6
EPSS
0.8%
CVE-2020-25201 Go HIGH PATCH This Week

HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
CVSS 3.1
7.5
EPSS
2.6%
CVE-2020-2313 Maven MEDIUM PATCH This Month

A missing permission check in Jenkins Azure Key Vault Plugin 2.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Microsoft Jenkins Information Disclosure Azure Key Vault
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2020-27195 Go CRITICAL PATCH Act Now

HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Nomad
NVD GitHub
CVSS 3.1
9.1
EPSS
1.5%
CVE-2020-14736 LOW PATCH Monitor

Vulnerability in the Database Vault component of Oracle Database Server. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity.

Hashicorp Oracle Authentication Bypass Database Vault
NVD
CVSS 3.1
3.8
EPSS
0.8%
CVE-2020-25816 Go MEDIUM PATCH This Month

HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD GitHub
CVSS 3.1
6.8
EPSS
1.0%
CVE-2020-4607 HIGH PATCH This Week

IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Hashicorp IBM Authentication Bypass Security Verify Privilege Vault Remote On Premises
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2020-15024 MEDIUM This Month

An issue was discovered in the Login Password feature of the Password Manager component in Avast Antivirus 20.1.5069.562. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Hashicorp Microsoft Information Disclosure Antivirus
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-16251 Go HIGH PATCH This Week

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass Vault
NVD GitHub
CVSS 3.1
8.2
EPSS
3.0%
CVE-2020-16250 Go HIGH PATCH This Week

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass Vault
NVD GitHub
CVSS 3.1
8.2
EPSS
1.5%
CVE-2020-24359 Go HIGH PATCH This Week

HashiCorp vault-ssh-helper up to and including version 0.1.6 incorrectly accepted Vault-issued SSH OTPs for the subnet in which a host's network interface was located, rather than the specific IP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault Ssh Helper
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2020-16272 CRITICAL POC Act Now

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Keepassrpc
NVD
CVSS 3.1
9.1
EPSS
2.8%
CVE-2020-16271 CRITICAL POC Act Now

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Keepassrpc
NVD
CVSS 3.1
9.1
EPSS
1.5%
CVE-2020-15511 MEDIUM This Month

HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when disabled, bypassing SAML enforcement. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass Terraform Enterprise
NVD GitHub
CVSS 3.1
5.3
EPSS
0.9%
CVE-2020-14981 MEDIUM This Month

The ThreatTrack VIPRE Password Vault app through 1.100.1090 for iOS has Missing SSL Certificate Validation. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Hashicorp Information Disclosure Apple Password Vault
NVD
CVSS 3.1
5.9
EPSS
0.8%
CVE-2020-13250 Go HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
CVSS 3.1
7.5
EPSS
2.9%
CVE-2020-13170 Go HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Hashicorp Information Disclosure HashiCorp Consul
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2020-12797 Go MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Hashicorp Information Disclosure HashiCorp Consul
NVD GitHub
CVSS 3.1
5.3
EPSS
1.6%
CVE-2020-12758 Go HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2020-13223 Go HIGH PATCH This Week

HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-12757 Go CRITICAL PATCH Act Now

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Privilege Escalation Vault
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2020-10685 PyPI MEDIUM PATCH This Month

A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Hashicorp Information Disclosure Ansible Engine Ansible Tower Ceph Storage +3
NVD GitHub
CVSS 3.1
5.5
EPSS
0.4%
CVE-2020-10944 MEDIUM PATCH This Month

HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contained a cross-site scripting vulnerability such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Hashicorp Nomad
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-10661 Go CRITICAL PATCH Act Now

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD GitHub
CVSS 3.1
9.1
EPSS
1.1%
CVE-2020-10660 Go MEDIUM PATCH This Month

HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Privilege Escalation Vault
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
CVE-2020-1740 PyPI MEDIUM PATCH This Month

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. Rated medium severity (CVSS 4.7). No vendor patch available.

Hashicorp Information Disclosure Ansible Ansible Tower Cloudforms Management Engine +3
NVD GitHub
CVSS 3.1
4.7
EPSS
0.4%
CVE-2020-7956 Go CRITICAL PATCH Act Now

HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Privilege Escalation Nomad
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2020-7955 Go MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass Information Disclosure HashiCorp Consul
NVD GitHub
CVSS 3.1
5.3
EPSS
1.4%
CVE-2020-7219 Go HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2020-7218 Go HIGH PATCH This Week

HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Denial Of Service Nomad
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2020-7220 Go HIGH PATCH This Week

HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2019-19316 Go HIGH PATCH This Week

When using the Azure backend with a shared access signature (SAS), Terraform versions prior to 0.12.17 may transmit the token and state snapshot using cleartext HTTP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Hashicorp Terraform
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2019-10435 Maven HIGH This Week

Jenkins SourceGear Vault Plugin transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Hashicorp Sourcegear Vault
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2019-14359 LOW POC Monitor

On BC Vault devices, a side channel for the row-based SSD1309 OLED display was found. Rated low severity (CVSS 2.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Hashicorp Bc Vault Firmware
NVD
CVSS 3.0
2.4
EPSS
0.4%
CVE-2019-12618 Go CRITICAL PATCH Act Now

HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Hashicorp Nomad
NVD GitHub
CVSS 3.0
9.8
EPSS
2.4%
CVE-2019-13380 MEDIUM This Month

KEYNTO Team Password Manager 1.5.0 allows XSS because data saved from websites is mishandled in the online vault. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Hashicorp Team Password Manager
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2019-4295 MEDIUM PATCH This Month

IBM Robotic Process Automation with Automation Anywhere 11 could allow an attacker with specialized access to obtain highly sensitive from the credential vault. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

IBM Information Disclosure Hashicorp Robotic Process Automation With Automation Anywhere
NVD
CVSS 3.1
4.9
EPSS
1.1%
CVE-2019-12291 Go HIGH PATCH This Week

HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Hashicorp HashiCorp Consul
NVD GitHub
CVSS 3.0
7.5
EPSS
1.2%
CVE-2019-7442 CRITICAL POC THREAT Act Now

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Hashicorp Enterprise Password Vault
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
40.0%
CVE-2019-6609 CRITICAL Act Now

Platform dependent weakness. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Big Ip Local Traffic Manager Big Ip Application Acceleration Manager Big Ip Advanced Firewall Manager +11
NVD
CVSS 3.0
9.8
EPSS
1.5%
CVE-2019-9764 Go HIGH POC PATCH This Week

HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Hashicorp HashiCorp Consul
NVD GitHub
CVSS 3.0
7.4
EPSS
0.6%
CVE-2019-8336 Go HIGH PATCH This Week

HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Hashicorp HashiCorp Consul
NVD GitHub
CVSS 3.0
8.1
EPSS
1.3%
CVE-2019-8944 MEDIUM This Month

An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Octopus Deploy Octopus Server
NVD GitHub
CVSS 3.0
6.5
EPSS
1.5%
CVE-2018-20371 CRITICAL POC Act Now

PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers to bypass intended GET restrictions via a brute-force approach, as. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Photorange Photo Vault
NVD
CVSS 3.0
9.8
EPSS
1.6%
CVE-2018-15328 HIGH This Week

On BIG-IP 14.0.x, 13.x, 12.x, and 11.x, Enterprise Manager 3.1.1, BIG-IQ 6.x, 5.x, and 4.x, and iWorkflow 2.x, the passphrases for SNMPv3 users and trap destinations that are used for authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Big Ip Access Policy Manager Big Ip Advanced Firewall Manager Big Ip Analytics +13
NVD
CVSS 3.0
7.5
EPSS
2.3%
CVE-2018-19653 Go MEDIUM PATCH This Month

HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Hashicorp Information Disclosure HashiCorp Consul
NVD GitHub
CVSS 3.0
5.9
EPSS
1.2%
CVE-2018-19786 HIGH This Week

HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD GitHub
CVSS 3.0
8.1
EPSS
0.9%
CVE-2018-9843 CRITICAL POC THREAT Act Now

The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Deserialization RCE Password Vault
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
17.3%
CVE-2018-9842 MEDIUM POC THREAT This Month

CyberArk Password Vault before 9.7 allows remote attackers to obtain sensitive information from process memory by replaying a logon message. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Password Vault
NVD Exploit-DB
CVSS 3.0
5.3
EPSS
14.1%
CVE-2018-9057 Go CRITICAL PATCH Act Now

aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Hashicorp Information Disclosure Terraform
NVD GitHub
CVSS 3.0
9.8
EPSS
2.0%
CVE-2017-16777 HIGH POC This Week

If HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.3 is installed but VMware Fusion is not, a local attacker can create a fake application directory and exploit the suid sudo. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp VMware Privilege Escalation Vagrant
NVD Exploit-DB
CVSS 3.0
7.8
EPSS
0.1%
CVE-2017-16560 MEDIUM This Month

SanDisk Secure Access 3.01 vault decrypts and copies encrypted files to a temporary folder, where they can remain indefinitely in certain situations, such as if the file is being edited when the user. Rated medium severity (CVSS 4.3), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Hashicorp Secureaccess
NVD
CVSS 3.0
4.3
EPSS
0.1%
CVE-2017-16001 HIGH POC This Week

In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.1, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Race Condition Hashicorp VMware Privilege Escalation Vagrant
NVD Exploit-DB
CVSS 3.0
7.8
EPSS
0.1%
CVE-2017-15884 HIGH POC This Week

In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.0, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.

Race Condition Hashicorp VMware Privilege Escalation Vagrant Vmware Fusion
NVD Exploit-DB
CVSS 3.0
7.0
EPSS
0.1%
CVE-2017-12579 HIGH POC This Week

An insecure suid wrapper binary in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 4.0.24 and earlier allows a non-root user to obtain a root shell. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp VMware Information Disclosure Vagrant Vmware Fusion
NVD Exploit-DB
CVSS 3.0
7.8
EPSS
1.1%
CVE-2017-2809 PyPI HIGH POC PATCH This Week

An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

RCE Python Hashicorp Code Injection Ansible Vault
NVD GitHub
CVSS 3.0
7.5
EPSS
0.6%
CVE-2017-11741 HIGH POC This Week

HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo helper scripts, allows local users to execute arbitrary code with root privileges. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Hashicorp VMware Privilege Escalation Vagrant Vmware Fusion
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
0.3%
CVE-2017-7642 HIGH POC This Week

The sudo helper in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.21 allows local users to gain root privileges by leveraging failure to verify the path to the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp VMware Information Disclosure Vagrant Vmware Fusion
NVD GitHub Exploit-DB
CVSS 3.0
7.8
EPSS
0.4%
CVE-2017-7306 MEDIUM POC This Month

Riverbed RiOS through 9.6.0 has a weak default password for the secure vault, which makes it easier for physically proximate attackers to defeat the secure-vault protection mechanism by leveraging. Rated medium severity (CVSS 6.4), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Brute Force Hashicorp Information Disclosure Rios
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2017-7305 MEDIUM This Month

Riverbed RiOS through 9.6.0 does not require a bootloader password, which makes it easier for physically proximate attackers to defeat the secure-vault protection mechanism via a crafted boot. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Brute Force Hashicorp Information Disclosure Rios
NVD
CVSS 3.1
4.6
EPSS
0.1%
CVE-2017-5670 MEDIUM This Month

Riverbed RiOS through 9.6.0 deletes the secure vault with the rm program (not shred or srm), which makes it easier for physically proximate attackers to obtain sensitive information by reading raw. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Rios
NVD
CVSS 3.0
4.6
EPSS
0.1%
CVE-2016-3484 LOW PATCH Monitor

Unspecified vulnerability in the Database Vault component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect confidentiality and integrity via unknown vectors. Rated low severity (CVSS 3.4), this vulnerability is low attack complexity.

Hashicorp Information Disclosure Oracle Database
NVD
CVSS 3.0
3.4
EPSS
0.1%
CVE-2015-8773 HIGH This Week

Stack-based buffer overflow in McPvDrv.sys 4.6.111.0 in McAfee File Lock 5.x in McAfee Total Protection allows attackers to cause a denial of service (system crash) via a long vault GUID in an ioctl. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Hashicorp File Lock
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2015-4921 MEDIUM This Month

Unspecified vulnerability in the Database Vault component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect integrity via unknown vectors. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Oracle Database Server
NVD
CVSS 2.0
4.0
EPSS
0.1%
CVE-2015-5711 MEDIUM This Month

TIBCO Managed File Transfer Internet Server before 7.2.5, Managed File Transfer Command Center before 7.2.5, Slingshot before 1.9.4, and Vault before 2.0.1 allow remote authenticated users to obtain. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Managed File Transfer Internet Server Vault Managed File Transfer Command Center +1
NVD
CVSS 2.0
4.0
EPSS
0.1%
CVE-2014-7194 MEDIUM PATCH This Month

TIBCO Managed File Transfer Internet Server before 7.2.4, Managed File Transfer Command Center before 7.2.4, Slingshot before 1.9.3, and Vault before 1.1.1 allow remote attackers to obtain sensitive. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Hashicorp Managed File Transfer Internet Server Managed File Transfer Command Center Slingshot +1
NVD
CVSS 2.0
6.4
EPSS
0.2%
CVE-2014-5667 MEDIUM This Month

The Vault-Hide SMS, Pics & Videos (aka com.netqin.ps) application 5.0.14.22 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers. Rated medium severity (CVSS 5.4). No vendor patch available.

Google Information Disclosure Hashicorp Vault Hide Sms Pics Videos
NVD
CVSS 2.0
5.4
EPSS
0.1%
CVE-2014-2545 MEDIUM This Month

TIBCO Managed File Transfer Internet Server before 7.2.2, Managed File Transfer Command Center before 7.2.2, Slingshot before 1.9.1, and Vault before 1.0.1 allow remote attackers to obtain sensitive. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Managed File Transfer Internet Server Information Disclosure Hashicorp Slingshot Vault +1
NVD VulDB
CVSS 2.0
5.0
EPSS
0.2%
CVE-2013-1921 LOW Monitor

PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file. Rated low severity (CVSS 1.9). No vendor patch available.

Red Hat Hashicorp Information Disclosure Jboss Enterprise Application Platform
NVD
CVSS 2.0
1.9
EPSS
0.1%
CVE-2013-1609 MEDIUM This Month

Multiple unquoted Windows search path vulnerabilities in the (1) File Collector and (2) File PlaceHolder services in Symantec Enterprise Vault (EV) for File System Archiving before 9.0.4 and 10.x. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Microsoft Enterprise Vault For File System Archiving
NVD
CVSS 2.0
6.8
EPSS
0.3%
CVE-2012-0652 MEDIUM This Month

Login Window in Apple Mac OS X 10.7.3, when Legacy File Vault or networked home directories are enabled, does not properly restrict what is written to the system log for network logins, which allows. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Apple Mac Os X
NVD
CVSS 2.0
4.9
EPSS
0.1%
EPSS 0% CVSS 6.7
MEDIUM POC This Month

Quick Heal Total Security before 19.0 allows attackers with local admin rights to obtain access to files in the File Vault via a brute-force attack on the password. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Brute Force +1
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Docker Path Traversal +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass HashiCorp Consul
NVD GitHub
EPSS 1% CVSS 7.6
HIGH This Week

The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Gitlab Authentication Bypass
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

A missing permission check in Jenkins Azure Key Vault Plugin 2.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Microsoft Jenkins +2
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Nomad
NVD GitHub
EPSS 1% CVSS 3.8
LOW PATCH Monitor

Vulnerability in the Database Vault component of Oracle Database Server. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity.

Hashicorp Oracle Authentication Bypass +1
NVD
EPSS 1% CVSS 6.8
MEDIUM PATCH This Month

HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Hashicorp IBM Authentication Bypass +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

An issue was discovered in the Login Password feature of the Password Manager component in Avast Antivirus 20.1.5069.562. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Hashicorp Microsoft Information Disclosure +1
NVD
EPSS 3% CVSS 8.2
HIGH PATCH This Week

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass Vault
NVD GitHub
EPSS 1% CVSS 8.2
HIGH PATCH This Week

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass Vault
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

HashiCorp vault-ssh-helper up to and including version 0.1.6 incorrectly accepted Vault-issued SSH OTPs for the subnet in which a host's network interface was located, rather than the specific IP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault Ssh Helper
NVD GitHub
EPSS 3% CVSS 9.1
CRITICAL POC Act Now

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Keepassrpc
NVD
EPSS 2% CVSS 9.1
CRITICAL POC Act Now

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Keepassrpc
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when disabled, bypassing SAML enforcement. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass Terraform Enterprise
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM This Month

The ThreatTrack VIPRE Password Vault app through 1.100.1090 for iOS has Missing SSL Certificate Validation. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Hashicorp Information Disclosure Apple +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Hashicorp Information Disclosure HashiCorp Consul
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Hashicorp Information Disclosure HashiCorp Consul
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Privilege Escalation Vault
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Hashicorp Information Disclosure Ansible Engine +5
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contained a cross-site scripting vulnerability such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Hashicorp Nomad
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Privilege Escalation Vault
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. Rated medium severity (CVSS 4.7). No vendor patch available.

Hashicorp Information Disclosure Ansible +5
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Privilege Escalation Nomad
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass Information Disclosure +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Denial Of Service Nomad
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

When using the Azure backend with a shared access signature (SAS), Terraform versions prior to 0.12.17 may transmit the token and state snapshot using cleartext HTTP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Hashicorp +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Jenkins SourceGear Vault Plugin transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Hashicorp +1
NVD
EPSS 0% CVSS 2.4
LOW POC Monitor

On BC Vault devices, a side channel for the row-based SSD1309 OLED display was found. Rated low severity (CVSS 2.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Hashicorp Bc Vault Firmware
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Hashicorp Nomad
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

KEYNTO Team Password Manager 1.5.0 allows XSS because data saved from websites is mishandled in the online vault. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Hashicorp Team Password Manager
NVD
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

IBM Robotic Process Automation with Automation Anywhere 11 could allow an attacker with specialized access to obtain highly sensitive from the credential vault. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

IBM Information Disclosure Hashicorp +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Hashicorp HashiCorp Consul
NVD GitHub
EPSS 40% CVSS 9.8
CRITICAL POC THREAT Act Now

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Hashicorp Enterprise Password Vault
NVD Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Platform dependent weakness. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Big Ip Local Traffic Manager +13
NVD
EPSS 1% CVSS 7.4
HIGH POC PATCH This Week

HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Hashicorp HashiCorp Consul
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Hashicorp HashiCorp Consul
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM This Month

An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Octopus Deploy +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers to bypass intended GET restrictions via a brute-force approach, as. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Photorange Photo Vault
NVD
EPSS 2% CVSS 7.5
HIGH This Week

On BIG-IP 14.0.x, 13.x, 12.x, and 11.x, Enterprise Manager 3.1.1, BIG-IQ 6.x, 5.x, and 4.x, and iWorkflow 2.x, the passphrases for SNMPv3 users and trap destinations that are used for authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Big Ip Access Policy Manager +15
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Hashicorp Information Disclosure HashiCorp Consul
NVD GitHub
EPSS 1% CVSS 8.1
HIGH This Week

HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Hashicorp Information Disclosure Vault
NVD GitHub
EPSS 17% CVSS 9.8
CRITICAL POC THREAT Act Now

The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Deserialization RCE +1
NVD Exploit-DB
EPSS 14% CVSS 5.3
MEDIUM POC THREAT This Month

CyberArk Password Vault before 9.7 allows remote attackers to obtain sensitive information from process memory by replaying a logon message. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp Information Disclosure Password Vault
NVD Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Hashicorp Information Disclosure Terraform
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC This Week

If HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.3 is installed but VMware Fusion is not, a local attacker can create a fake application directory and exploit the suid sudo. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp VMware Privilege Escalation +1
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM This Month

SanDisk Secure Access 3.01 vault decrypts and copies encrypted files to a temporary folder, where they can remain indefinitely in certain situations, such as if the file is being edited when the user. Rated medium severity (CVSS 4.3), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Hashicorp Secureaccess
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.1, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Race Condition Hashicorp VMware +2
NVD Exploit-DB
EPSS 0% CVSS 7.0
HIGH POC This Week

In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.0, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.

Race Condition Hashicorp VMware +2
NVD Exploit-DB
EPSS 1% CVSS 7.8
HIGH POC This Week

An insecure suid wrapper binary in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 4.0.24 and earlier allows a non-root user to obtain a root shell. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp VMware Information Disclosure +1
NVD Exploit-DB
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

RCE Python Hashicorp +2
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo helper scripts, allows local users to execute arbitrary code with root privileges. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Hashicorp VMware +2
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH POC This Week

The sudo helper in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.21 allows local users to gain root privileges by leveraging failure to verify the path to the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Hashicorp VMware Information Disclosure +1
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

Riverbed RiOS through 9.6.0 has a weak default password for the secure vault, which makes it easier for physically proximate attackers to defeat the secure-vault protection mechanism by leveraging. Rated medium severity (CVSS 6.4), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Brute Force Hashicorp Information Disclosure +1
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

Riverbed RiOS through 9.6.0 does not require a bootloader password, which makes it easier for physically proximate attackers to defeat the secure-vault protection mechanism via a crafted boot. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Brute Force Hashicorp Information Disclosure +1
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

Riverbed RiOS through 9.6.0 deletes the secure vault with the rm program (not shred or srm), which makes it easier for physically proximate attackers to obtain sensitive information by reading raw. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Rios
NVD
EPSS 0% CVSS 3.4
LOW PATCH Monitor

Unspecified vulnerability in the Database Vault component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect confidentiality and integrity via unknown vectors. Rated low severity (CVSS 3.4), this vulnerability is low attack complexity.

Hashicorp Information Disclosure Oracle +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Stack-based buffer overflow in McPvDrv.sys 4.6.111.0 in McAfee File Lock 5.x in McAfee Total Protection allows attackers to cause a denial of service (system crash) via a long vault GUID in an ioctl. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Hashicorp +1
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

Unspecified vulnerability in the Database Vault component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect integrity via unknown vectors. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Oracle +1
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

TIBCO Managed File Transfer Internet Server before 7.2.5, Managed File Transfer Command Center before 7.2.5, Slingshot before 1.9.4, and Vault before 2.0.1 allow remote authenticated users to obtain. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp Managed File Transfer Internet Server +3
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

TIBCO Managed File Transfer Internet Server before 7.2.4, Managed File Transfer Command Center before 7.2.4, Slingshot before 1.9.3, and Vault before 1.1.1 allow remote attackers to obtain sensitive. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Hashicorp Managed File Transfer Internet Server +3
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The Vault-Hide SMS, Pics & Videos (aka com.netqin.ps) application 5.0.14.22 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers. Rated medium severity (CVSS 5.4). No vendor patch available.

Google Information Disclosure Hashicorp +1
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

TIBCO Managed File Transfer Internet Server before 7.2.2, Managed File Transfer Command Center before 7.2.2, Slingshot before 1.9.1, and Vault before 1.0.1 allow remote attackers to obtain sensitive. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Managed File Transfer Internet Server Information Disclosure Hashicorp +3
NVD VulDB
EPSS 0% CVSS 1.9
LOW Monitor

PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file. Rated low severity (CVSS 1.9). No vendor patch available.

Red Hat Hashicorp Information Disclosure +1
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Multiple unquoted Windows search path vulnerabilities in the (1) File Collector and (2) File PlaceHolder services in Symantec Enterprise Vault (EV) for File System Archiving before 9.0.4 and 10.x. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Microsoft +1
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Login Window in Apple Mac OS X 10.7.3, when Legacy File Vault or networked home directories are enabled, does not properly restrict what is written to the system log for network logins, which allows. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.

Hashicorp Information Disclosure Apple +1
NVD
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy