vault

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A tool for managing secrets
Version 1.7.0-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-1519 1.5.4-1 Medium Not affected
AVG-1369 1.5.4-1 Medium Not affected
AVG-1368 1.5.5-1 1.5.7-1 Medium Fixed FS#69015
Issue Group Severity Remote Type Description
CVE-2021-3282 AVG-1519 Medium Yes Authentication bypass
HashiCorp Vault Enterprise 1.6.0 and 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication....
CVE-2021-3024 AVG-1368 Low Yes Information disclosure
HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests....
CVE-2020-35453 AVG-1369 Medium No Privilege escalation
HashiCorp Vault Enterprise's Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.
CVE-2020-35177 AVG-1368 Medium Yes Information disclosure
HashiCorp Vault and Vault Enterprise allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.
CVE-2020-25594 AVG-1368 Low Yes Information disclosure
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. This is fixed in versions...