HashiCorp Vault

HashiCorp Vault and Vault Enterprises approle auth method

CVE-2023-24999 8.1 - High - March 11, 2023

HashiCorp Vault and Vault Enterprises approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.

AuthZ

HashiCorp Vault and Vault Enterprises TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup

CVE-2022-41316 5.3 - Medium - October 12, 2022

HashiCorp Vault and Vault Enterprises TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.

Improper Certificate Validation

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3

CVE-2022-40186 9.1 - Critical - September 22, 2022

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.

HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint

CVE-2022-36129 9.1 - Critical - July 26, 2022

HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. Fixed in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1.

AuthZ

HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts

CVE-2022-30689 5.3 - Medium - May 17, 2022

HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. Fixed in 1.10.3.

"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3

CVE-2022-25243 6.5 - Medium - March 10, 2022

"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4.

Improper Certificate Validation

Vault Enterprise clusters using the tokenization transform feature

CVE-2022-25244 6.5 - Medium - March 10, 2022

Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10.

In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend

CVE-2021-45042 4.9 - Medium - December 17, 2021

In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0.

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies

CVE-2021-43998 6.5 - Medium - November 30, 2021

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

Incorrect Permission Assignment for Critical Resource

HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine

CVE-2021-42135 8.1 - High - October 11, 2021

HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.

Improper Privilege Management

HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3

CVE-2021-41802 5.4 - Medium - October 08, 2021

HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other users policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

Incorrect Permission Assignment for Critical Resource

HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication

CVE-2021-27668 5.3 - Medium - August 31, 2021

HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.

Missing Authentication for Critical Function

HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions

CVE-2021-38553 4.4 - Medium - August 13, 2021

HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.

Improper Preservation of Permissions

HashiCorp Vault and Vault Enterprises UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser

CVE-2021-38554 5.3 - Medium - August 13, 2021

HashiCorp Vault and Vault Enterprises UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.

Improper Removal of Sensitive Information Before Storage or Transfer

HashiCorp Vault and Vault Enterprise

CVE-2021-32923 7.4 - High - June 03, 2021

HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.

Insufficient Session Expiration

HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates

CVE-2021-29653 7.5 - High - April 22, 2021

HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.

Improper Certificate Validation

HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters

CVE-2021-27400 7.5 - High - April 22, 2021

HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1

Improper Certificate Validation

HashiCorp Vault Enterprise 1.6.0 & 1.6.1

CVE-2021-3282 7.5 - High - February 01, 2021

HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.

authentification

HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests

CVE-2020-25594 5.3 - Medium - February 01, 2021

HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.

HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid

CVE-2021-3024 5.3 - Medium - February 01, 2021

HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.

HashiCorp Vault Enterprises Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces

CVE-2020-35453 5.3 - Medium - December 17, 2020

HashiCorp Vault Enterprises Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.

Improper Input Validation

HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method

CVE-2020-35177 5.3 - Medium - December 17, 2020

HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.

Information Disclosure

The official vault docker images before 0.11.6 contain a blank password for a root user

CVE-2020-35192 9.8 - Critical - December 17, 2020

The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.

Missing Authentication for Critical Function

HashiCorp Vault and Vault Enterprise versions 1.0 and newer

CVE-2020-25816 6.8 - Medium - September 30, 2020

HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4.

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer

CVE-2020-16251 9.8 - Critical - August 26, 2020

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.

authentification

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer

CVE-2020-16250 9.8 - Critical - August 26, 2020

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..

Insufficient Verification of Data Authenticity

HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials

CVE-2020-13223 7.5 - High - June 10, 2020

HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.

Insertion of Sensitive Information into Log File

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1

CVE-2020-12757 9.8 - Critical - June 10, 2020

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.

Improper Privilege Management

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may

CVE-2020-10661 9.1 - Critical - March 23, 2020

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.

HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may

CVE-2020-10660 5.3 - Medium - March 23, 2020

HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.

Incorrect Default Permissions

HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails

CVE-2020-7220 7.5 - High - January 23, 2020

HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.

Information Disclosure

HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes

CVE-2018-19786 8.1 - High - December 05, 2018

HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being reported.

Insertion of Sensitive Information into Log File