vault

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A tool for managing secrets
Version 1.7.3-1 [community]

Open

Group Affected Fixed Severity Status Ticket
AVG-2294 1.7.3-1 Medium Vulnerable
Issue Group Severity Remote Type Description
CVE-2021-41802 AVG-2294 Medium Yes Privilege escalation
HashiCorp Vault through 1.7.4 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other...
CVE-2021-38554 AVG-2294 Medium No Information disclosure
HashiCorp Vault's UI up to version 1.7.3 erroneously cached and exposed user-viewed secrets between sessions in a single shared browser.
CVE-2021-38553 AVG-2294 Low No Denial of service
HashiCorp Vault 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem...

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2457 1.7.3-1 Medium Not affected
AVG-2029 1.7.1-2 1.7.2-1 Medium Fixed
AVG-1860 1.7.0-1 1.7.1-2 Medium Fixed
AVG-1519 1.5.4-1 Medium Not affected
AVG-1369 1.5.4-1 Medium Not affected
AVG-1368 1.5.5-1 1.5.7-1 Medium Fixed FS#69015
Issue Group Severity Remote Type Description
CVE-2021-42135 AVG-2457 Medium Yes Privilege escalation
HashiCorp Vault 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some...
CVE-2021-32923 AVG-2029 Medium Yes Authentication bypass
HashiCorp Vault before version 1.7.2 allowed the renewal of nearly- expired token leases and dynamic secret leases (specifically, those within 1 second of...
CVE-2021-29653 AVG-1860 Medium Yes Certificate verification bypass
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in...
CVE-2021-27400 AVG-1860 Medium Yes Certificate verification bypass
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when...
CVE-2021-3282 AVG-1519 Medium Yes Authentication bypass
HashiCorp Vault Enterprise 1.6.0 and 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication....
CVE-2021-3024 AVG-1368 Low Yes Information disclosure
HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests....
CVE-2020-35453 AVG-1369 Medium No Privilege escalation
HashiCorp Vault Enterprise's Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.
CVE-2020-35177 AVG-1368 Medium Yes Information disclosure
HashiCorp Vault and Vault Enterprise allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.
CVE-2020-25594 AVG-1368 Low Yes Information disclosure
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. This is fixed in versions...