vault

In HashiCorp Vault before version 1.9.0, templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a...

HashiCorp Vault 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some...

HashiCorp Vault through 1.7.4 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other...

HashiCorp Vault's UI up to version 1.7.3 erroneously cached and exposed user-viewed secrets between sessions in a single shared browser.

HashiCorp Vault 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem...

HashiCorp Vault before version 1.7.2 allowed the renewal of nearly- expired token leases and dynamic secret leases (specifically, those within 1 second of...

HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in...

HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when...

HashiCorp Vault Enterprise 1.6.0 and 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication....

HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests....

HashiCorp Vault Enterprise's Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.

HashiCorp Vault and Vault Enterprise allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.

HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. This is fixed in versions...