vault

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A tool for managing secrets
Version 1.11.0-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2457 1.7.3-1 Medium Not affected
AVG-2294 1.7.3-1 1.9.0-1 Medium Fixed
AVG-2029 1.7.1-2 1.7.2-1 Medium Fixed
AVG-1860 1.7.0-1 1.7.1-2 Medium Fixed
AVG-1519 1.5.4-1 Medium Not affected
AVG-1369 1.5.4-1 Medium Not affected
AVG-1368 1.5.5-1 1.5.7-1 Medium Fixed FS#69015
Issue Group Severity Remote Type Description
CVE-2021-43998 AVG-2294 Medium Yes Access restriction bypass
In HashiCorp Vault before version 1.9.0, templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a...
CVE-2021-42135 AVG-2457 Medium Yes Privilege escalation
HashiCorp Vault 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some...
CVE-2021-41802 AVG-2294 Medium Yes Privilege escalation
HashiCorp Vault through 1.7.4 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other...
CVE-2021-38554 AVG-2294 Medium No Information disclosure
HashiCorp Vault's UI up to version 1.7.3 erroneously cached and exposed user-viewed secrets between sessions in a single shared browser.
CVE-2021-38553 AVG-2294 Low No Denial of service
HashiCorp Vault 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem...
CVE-2021-32923 AVG-2029 Medium Yes Authentication bypass
HashiCorp Vault before version 1.7.2 allowed the renewal of nearly- expired token leases and dynamic secret leases (specifically, those within 1 second of...
CVE-2021-29653 AVG-1860 Medium Yes Certificate verification bypass
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in...
CVE-2021-27400 AVG-1860 Medium Yes Certificate verification bypass
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when...
CVE-2021-3282 AVG-1519 Medium Yes Authentication bypass
HashiCorp Vault Enterprise 1.6.0 and 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication....
CVE-2021-3024 AVG-1368 Low Yes Information disclosure
HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests....
CVE-2020-35453 AVG-1369 Medium No Privilege escalation
HashiCorp Vault Enterprise's Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.
CVE-2020-35177 AVG-1368 Medium Yes Information disclosure
HashiCorp Vault and Vault Enterprise allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.
CVE-2020-25594 AVG-1368 Low Yes Information disclosure
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. This is fixed in versions...