HashiCorp Vault

Vault and Vault Enterprise (Vault) may expose sensitive information when enabling an audit device

CVE-2024-0831 6.5 - Medium - February 01, 2024

Vault and Vault Enterprise (Vault) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.

Insertion of Sensitive Information into Log File

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests

CVE-2023-6337 7.5 - High - December 08, 2023

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash. Fixed in Vault 1.15.4, 1.14.8, 1.13.12.

Allocation of Resources Without Limits or Throttling

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory

CVE-2023-5954 7.5 - High - November 09, 2023

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

Memory Leak

A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace

CVE-2023-3775 4.9 - Medium - September 29, 2023

A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace, potentially resulting in denial of service. Fixed in Vault Enterprise 1.15.0, 1.14.4, 1.13.8.

The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets

CVE-2023-5077 7.5 - High - September 29, 2023

The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.

Incorrect Permission Assignment for Critical Resource

HashiCorp Vault and Vault Enterprise transit secrets engine

CVE-2023-4680 6.8 - Medium - September 15, 2023

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

Improper Input Validation

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method

CVE-2023-3462 5.3 - Medium - July 31, 2023

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

Side Channel Attack

An unhandled error in Vault Enterprise's namespace creation may cause the Vault process to crash

CVE-2023-3774 4.9 - Medium - July 28, 2023

An unhandled error in Vault Enterprise's namespace creation may cause the Vault process to crash, potentially resulting in denial of service. Fixed in 1.14.1, 1.13.5, and 1.12.9.

Improper Handling of Exceptional Conditions

Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values

CVE-2023-2121 5.4 - Medium - June 09, 2023

Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.

XSS

HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms

CVE-2023-2197 2.5 - Low - May 01, 2023

HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vaults root key. Fixed in 1.13.2

Inadequate Encryption Strength

HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata

CVE-2023-0665 6.5 - Medium - March 30, 2023

HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks

CVE-2023-25000 4.7 - Medium - March 30, 2023

HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

Side Channel Attack

HashiCorp Vault and Vault Enterprise versions 0.8.0 through 1.13.1 are vulnerable to an SQL injection attack when configuring the Microsoft SQL (MSSQL) Database Storage Backend

CVE-2023-0620 6.7 - Medium - March 30, 2023

HashiCorp Vault and Vault Enterprise versions 0.8.0 through 1.13.1 are vulnerable to an SQL injection attack when configuring the Microsoft SQL (MSSQL) Database Storage Backend. When configuring the MSSQL plugin through the local, certain parameters are not sanitized when passed to the user-provided MSSQL database. An attacker may modify these parameters to execute a malicious SQL command. This issue is fixed in versions 1.13.1, 1.12.5, and 1.11.9.

SQL Injection

HashiCorp Vault and Vault Enterprises approle auth method

CVE-2023-24999 8.1 - High - March 11, 2023

HashiCorp Vault and Vault Enterprises approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.

AuthZ

HashiCorp Vault and Vault Enterprises TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup

CVE-2022-41316 5.3 - Medium - October 12, 2022

HashiCorp Vault and Vault Enterprises TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.

Improper Certificate Validation

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3

CVE-2022-40186 9.1 - Critical - September 22, 2022

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.

HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint

CVE-2022-36129 9.1 - Critical - July 26, 2022

HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. Fixed in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1.

Missing Authentication for Critical Function

HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts

CVE-2022-30689 5.3 - Medium - May 17, 2022

HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. Fixed in 1.10.3.

"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3

CVE-2022-25243 6.5 - Medium - March 10, 2022

"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4.

Improper Certificate Validation

Vault Enterprise clusters using the tokenization transform feature

CVE-2022-25244 6.5 - Medium - March 10, 2022

Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10.

In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend

CVE-2021-45042 4.9 - Medium - December 17, 2021

In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0.

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies

CVE-2021-43998 6.5 - Medium - November 30, 2021

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

Incorrect Permission Assignment for Critical Resource

HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine

CVE-2021-42135 8.1 - High - October 11, 2021

HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine. Users may, in some situations, have more privileges than intended, e.g., a user with read permission for the /gcp/roleset/* path may be able to issue Google Cloud service account credentials.

Improper Privilege Management

HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3

CVE-2021-41802 5.4 - Medium - October 08, 2021

HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other users policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

Incorrect Permission Assignment for Critical Resource

HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication

CVE-2021-27668 5.3 - Medium - August 31, 2021

HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.

Missing Authentication for Critical Function

HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions

CVE-2021-38553 4.4 - Medium - August 13, 2021

HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.

Improper Preservation of Permissions

HashiCorp Vault and Vault Enterprises UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser

CVE-2021-38554 5.3 - Medium - August 13, 2021

HashiCorp Vault and Vault Enterprises UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.

Improper Removal of Sensitive Information Before Storage or Transfer

HashiCorp Vault and Vault Enterprise

CVE-2021-32923 7.4 - High - June 03, 2021

HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.

Insufficient Session Expiration

HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates

CVE-2021-29653 7.5 - High - April 22, 2021

HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.

Improper Certificate Validation

HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters

CVE-2021-27400 7.5 - High - April 22, 2021

HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1

Improper Certificate Validation

HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid

CVE-2021-3024 5.3 - Medium - February 01, 2021

HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.

HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests

CVE-2020-25594 5.3 - Medium - February 01, 2021

HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.

HashiCorp Vault Enterprise 1.6.0 & 1.6.1

CVE-2021-3282 7.5 - High - February 01, 2021

HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.

authentification

HashiCorp Vault Enterprises Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces

CVE-2020-35453 5.3 - Medium - December 17, 2020

HashiCorp Vault Enterprises Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.

Improper Input Validation

HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method

CVE-2020-35177 5.3 - Medium - December 17, 2020

HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.

Information Disclosure

The official vault docker images before 0.11.6 contain a blank password for a root user

CVE-2020-35192 9.8 - Critical - December 17, 2020

The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.

Missing Authentication for Critical Function

HashiCorp Vault and Vault Enterprise versions 1.0 and newer

CVE-2020-25816 6.8 - Medium - September 30, 2020

HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4.

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer

CVE-2020-16251 8.2 - High - August 26, 2020

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.

authentification

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer

CVE-2020-16250 8.2 - High - August 26, 2020

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..

Insufficient Verification of Data Authenticity

HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials

CVE-2020-13223 7.5 - High - June 10, 2020

HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.

Insertion of Sensitive Information into Log File

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1

CVE-2020-12757 9.8 - Critical - June 10, 2020

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.

Improper Privilege Management

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may

CVE-2020-10661 9.1 - Critical - March 23, 2020

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.

HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may

CVE-2020-10660 5.3 - Medium - March 23, 2020

HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.

Incorrect Default Permissions

HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails

CVE-2020-7220 7.5 - High - January 23, 2020

HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.

Information Disclosure

HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes

CVE-2018-19786 8.1 - High - December 05, 2018

HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being reported.

Insertion of Sensitive Information into Log File