Log

AVG-1518 edited at 01 Feb 2021 18:37:48
Severity
- Medium
+ Low
CVE-2021-3281 edited at 01 Feb 2021 18:37:48
Severity
- Medium
+ Low
AVG-1519 created at 01 Feb 2021 18:27:15
Packages
+ vault
Issues
+ CVE-2021-3282
Status
+ Not affected
Severity
+ Medium
Affected
+ 1.5.4-1
Fixed
Ticket
Advisory qualified
+ No
References
Notes
AVG-1368 edited at 01 Feb 2021 18:26:50
Issues
CVE-2020-25594
CVE-2020-35177
CVE-2021-3024
- CVE-2021-3282
CVE-2021-3282 edited at 01 Feb 2021 18:26:37
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Authentication bypass
Description
+ HashiCorp Vault Enterprise 1.6.0 and 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. This is fixed in version 1.6.2.
References
+ https://discuss.hashicorp.com/t/hcsec-2021-04-vault-enterprise-s-dr-secondaries-allowed-raft-peer-removal-without-authentication/20337
CVE-2021-3024 edited at 01 Feb 2021 18:25:34
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. This is fixed in versions 1.6.2 and 1.5.7.
References
+ https://discuss.hashicorp.com/t/hcsec-2021-02-vault-api-endpoint-exposed-internal-ip-address-without-authentication/20334
+ https://github.com/hashicorp/vault/pull/10579
+ https://github.com/hashicorp/vault/commit/f4db2dddf449845d3a4dfc835d955e29c31c7a23
AVG-1368 edited at 01 Feb 2021 18:20:24
Issues
CVE-2020-25594
CVE-2020-35177
+ CVE-2021-3024
+ CVE-2021-3282
CVE-2021-3024 created at 01 Feb 2021 18:20:24
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes
AVG-1368 edited at 01 Feb 2021 18:20:24
Issues
CVE-2020-25594
CVE-2020-35177
+ CVE-2021-3024
+ CVE-2021-3282
CVE-2021-3282 created at 01 Feb 2021 18:20:24
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes
CVE-2020-25594 edited at 01 Feb 2021 18:19:48
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. This is fixed in versions 1.6.2 and 1.5.7.
References
+ https://discuss.hashicorp.com/t/hcsec-2021-03-vault-api-endpoint-allowed-enumeration-of-secrets-engine-mount-paths-without-authentication/20336
+ https://github.com/hashicorp/vault/pull/10650
+ https://github.com/hashicorp/vault/commit/131123918ae8e6ca1ffba4dd7ed32b04c2068dd3
AVG-1368 edited at 01 Feb 2021 18:14:35
Issues
+ CVE-2020-25594
CVE-2020-35177
CVE-2020-25594 created at 01 Feb 2021 18:14:35
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes
ASA-202102-4 edited at 01 Feb 2021 15:28:34
Impact
+ An attacker might be able to cause a denial of service by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.