cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2025-0377,https://securityvulnerability.io/vulnerability/CVE-2025-0377,Zip-Slip Vulnerability in HashiCorp's go-slug Library,"HashiCorp's go-slug library is susceptible to a zip-slip attack, allowing an attacker to manipulate file paths during extraction from tar entries. When a user provides a path that doesn't exist, it can be exploited to write to unintended file locations, potentially compromising system integrity. It is essential for users of the go-slug library to address this risk by validating paths and ensuring secure extraction processes.",Hashicorp,Shared Library,7.5,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-21T15:23:53.104Z,0
CVE-2024-10975,https://securityvulnerability.io/vulnerability/CVE-2024-10975,Arbitrary Cross-Namespace Volume Creation Vulnerability,"The Nomad volume specification is susceptible to a vulnerability that permits arbitrary cross-namespace volume creation. This occurs due to unauthorized writes via the Container Storage Interface (CSI), which does not adequately enforce proper permissions. Attackers can exploit this vulnerability to interfere with or manipulate volumes across different namespaces, potentially leading to data leaks or unauthorized access to sensitive information. The issue has been addressed in the releases of Nomad Community Edition 1.9.2 and Nomad Enterprise versions 1.9.2, 1.8.7, and 1.7.15.",Hashicorp,"Nomad,Nomad Enterprise",7.7,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-11-07T21:04:43.804Z,0
CVE-2024-9180,https://securityvulnerability.io/vulnerability/CVE-2024-9180," Root Privileges Escalation Vulnerability in Vault","A privilege escalation vulnerability exists within HashiCorp Vault, where a Vault operator possessing write permissions to the root namespace's identity endpoint could potentially escalate their own privileges or those of another user to access Vault's root policy. This could lead to unauthorized access and control over sensitive data managed within Vault. The issue has been addressed in Vault Community Edition version 1.18.0 and Vault Enterprise versions 1.18.0, 1.17.7, 1.16.11, and 1.15.16, suggesting that users should promptly upgrade to these versions to mitigate risks.",Hashicorp,"Vault,Vault Enterprise",7.2,HIGH,0.0005000000237487257,false,,false,false,false,,,false,false,,2024-10-10T21:15:00.000Z,0
CVE-2024-7594,https://securityvulnerability.io/vulnerability/CVE-2024-7594,Vault SSH secrets engine vulnerability: unauthorized access via SSH certificates,"HashiCorp Vault's SSH secrets engine suffers from a configuration issue where the valid_principals list is not enforced by default. This allows an SSH certificate, requested by an authorized user, to potentially authenticate as any user on the host if the valid_principals and default_user fields are not set appropriately. The implications of this vulnerability can lead to significant security breaches if not addressed, making it crucial for organizations using Vault to ensure correct configuration of their SSH secrets engine.",Hashicorp,"Vault,Vault Enterprise",7.5,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-09-26T19:52:55.652Z,0
CVE-2024-6717,https://securityvulnerability.io/vulnerability/CVE-2024-6717,Nomad Platform Vulnerable to Path Escape During Migration,"A vulnerability exists in HashiCorp Nomad and Nomad Enterprise due to improper handling of archive unpacking during migration processes. Specifically, versions 1.6.12 through 1.7.9 and 1.8.1 are susceptible to path escaping issues that may allow an attacker to manipulate the allocation directory. This flaw underscores the importance of upgrading to patched versions 1.6.13, 1.7.10, or 1.8.2 to prevent potential security risks. Organizations using affected versions should prioritize remediation to maintain the integrity of their deployment environments.",Hashicorp,"Nomad,Nomad Enterprise",7.7,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-07-23T01:15:00.000Z,0
CVE-2024-6257,https://securityvulnerability.io/vulnerability/CVE-2024-6257,Malicious Git Configuration Execution via go-getter Library,"The Go-Getter library from HashiCorp is susceptible to a vulnerability that allows an attacker to manipulate the Git configuration, potentially leading to arbitrary code execution. By coercing the library into executing a Git update on a maliciously modified configuration, attackers can exploit this weakness to execute unwanted code within the user's environment. This issue underscores the importance of secure coding practices and vigilant configuration management to protect against such vulnerabilities.",Hashicorp,Shared Library,8.4,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-06-25T16:31:03.882Z,0
CVE-2024-3817,https://securityvulnerability.io/vulnerability/CVE-2024-3817,Git Injection Vulnerability Affects HashiCorp's go-getter Library,"HashiCorp's Go-Getter library contains a vulnerability that allows for argument injection during the process of executing Git commands to fetch remote branches. This security flaw exposes the system to potential exploitation by manipulating inputs, particularly in scenarios involving remote repository interactions. Importantly, this vulnerability does not affect versions located in the go-getter/v2 branch and package, making those iterations safer for users.",Hashicorp,Shared Library,9.8,CRITICAL,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-04-17T19:37:25.878Z,0
CVE-2024-2048,https://securityvulnerability.io/vulnerability/CVE-2024-2048,Certificate Validation Bypass Vulnerability,"A TLS certificate authentication issue in HashiCorp Vault and Vault Enterprise has been identified, whereby the product does not adequately validate client certificates when a non-CA certificate is configured as trusted. This vulnerability permits an attacker to potentially create a malicious certificate capable of circumventing standard authentication mechanisms. It is crucial for users to apply the patched versions, Vault 1.15.5 and 1.14.10, to mitigate the risks associated with this vulnerability and ensure secure operations.",Hashicorp,"Vault,Vault Enterprise",8.1,HIGH,0.0004299999854993075,false,,true,false,false,,,true,false,,2024-03-04T19:56:47.253Z,3417
CVE-2024-1329,https://securityvulnerability.io/vulnerability/CVE-2024-1329,Nomad Client User Arbitrary File Write Vulnerability,"The vulnerability in HashiCorp Nomad and Nomad Enterprise versions 1.5.13 through 1.6.6 and 1.7.3 allows for arbitrary file write capabilities on the host system. This occurs due to insufficient validation of symlink paths by the template renderer. Attackers can exploit this flaw by creating malicious symlinks that lead to unauthorized file writes. The identified issue has been resolved in subsequent releases: Nomad 1.7.4, 1.6.7, and 1.5.14, highlighting the importance of keeping software updated to mitigate such vulnerabilities.",Hashicorp,"Nomad,Nomad Enterprise",7.5,HIGH,0.0005099999834783375,false,,false,false,false,,,false,false,,2024-02-08T19:20:10.831Z,0
CVE-2024-1052,https://securityvulnerability.io/vulnerability/CVE-2024-1052,TLS Certificate Tampering Vulnerability in Boundary Enterprise,"Boundary and Boundary Enterprise by HashiCorp are susceptible to session hijacking due to vulnerabilities associated with TLS certificate tampering. An attacker with the capability to enumerate active or pending sessions may obtain a private key linked to a session and a valid trust on first use (TOFU) token. Leveraging this information, the attacker can craft a malicious TLS certificate to hijack an active session, leading to unauthorized access to the underlying services or applications. This vulnerability poses a significant risk to users and necessitates immediate attention.",Hashicorp,"Boundary,Boundary Enterprise",8,HIGH,0.0008900000248104334,false,,false,false,false,,,false,false,,2024-02-05T20:43:53.939Z,0
CVE-2023-6337,https://securityvulnerability.io/vulnerability/CVE-2023-6337,Vault May be Vulnerable to a Denial of Service Through Memory Exhaustion When Handling Large HTTP Requests,"HashiCorp Vault and Vault Enterprise versions starting from 1.12.0 are susceptible to a denial of service threat. This vulnerability arises when the software processes large HTTP requests, both authenticated and unauthenticated, potentially exhausting the available memory on the host system. As Vault attempts to allocate memory for these requests, it can lead to crashes, impairing service availability. HashiCorp has addressed this vulnerability in versions 1.15.4, 1.14.8, and 1.13.12, making it crucial for users to update promptly.",HashiCorp,"Vault,Vault Enterprise",7.5,HIGH,0.0008800000068731606,false,,false,false,false,,,false,false,,2023-12-08T22:15:00.000Z,0
CVE-2023-5954,https://securityvulnerability.io/vulnerability/CVE-2023-5954,Vault Requests Triggering Policy Checks May Lead To Unbounded Memory Consumption,"A vulnerability in HashiCorp Vault and Vault Enterprise allows inbound client requests that trigger a policy check to lead to unbounded memory consumption. This condition can escalate and result in denial-of-service occurrences, impacting the availability of the service. The vulnerability has been resolved in Vault versions 1.15.2, 1.14.6, and 1.13.10.",HashiCorp,"Vault,Vault Enterprise",7.5,HIGH,0.0008800000068731606,false,,false,false,false,,,false,false,,2023-11-09T21:15:00.000Z,0
CVE-2023-5077,https://securityvulnerability.io/vulnerability/CVE-2023-5077,Vault's Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets,"The Google Cloud secrets engine in HashiCorp Vault exhibits a vulnerability where existing IAM Conditions are removed when creating or updating rolesets. This flaw affects the way Vault interacts with Google Cloud IAM, potentially compromising the intended access controls and security configurations. Users are recommended to upgrade to Vault version 1.13.0 or later to mitigate this issue and ensure the preservation of IAM Conditions during roleset management.",Hashicorp,"Vault,Vault Enterprise",7.5,HIGH,0.0006399999838322401,false,,false,false,false,,,false,false,,2023-09-29T00:15:00.000Z,0
CVE-2023-3518,https://securityvulnerability.io/vulnerability/CVE-2023-3518,JWT Auth in L7 Intentions Allow For Mismatched Service Identity and JWT Providers for Access,"HashiCorp Consul and Consul Enterprise version 1.16.0 presents an issue where the JWT authentication for service mesh incorrectly manages access permissions based on mismatched service identities. This flaw may allow unauthorized access or deny legitimate access to services in the mesh. The vulnerability has been addressed in version 1.16.1, and users are encouraged to upgrade to safeguard against potential exploitation.",Hashicorp,"Consul,Consul Enterprise",7.4,HIGH,0.0007699999841861427,false,,false,false,false,,,false,false,,2023-08-09T16:15:00.000Z,0
CVE-2023-2816,https://securityvulnerability.io/vulnerability/CVE-2023-2816,Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner,"A vulnerability exists in Consul and Consul Enterprise that allows users with service:write permissions to exploit Envoy extensions through service-defaults. This misconfiguration enables unauthorized users to alter remote proxy instances that target the designated services. Consequently, even if these users lack the requisite permissions to make changes to the corresponding services, they can still affect the behavior of these services, leading to potential security risks and unauthorized access.",Hashicorp,"Consul,Consul Enterprise",8.7,HIGH,0.0004900000058114529,false,,false,false,false,,,false,false,,2023-06-02T23:15:00.000Z,0
CVE-2023-1782,https://securityvulnerability.io/vulnerability/CVE-2023-1782,Nomad Unauthenticated Client Agent HTTP Request Privilege Escalation,"HashiCorp Nomad and Nomad Enterprise versions 1.5.0 to 1.5.2 are susceptible to a vulnerability that allows unauthenticated users to circumvent Access Control List (ACL) authorizations. This flaw arises in configurations where mutual Transport Layer Security (mTLS) is not enabled, potentially granting unauthorized access to cluster resources. The issue has been addressed in version 1.5.3, and users are advised to upgrade to ensure the security of their deployments.",Hashicorp,"Nomad,Nomad Enterprise",10,CRITICAL,0.0016499999910593033,false,,false,false,false,,,false,false,,2023-04-05T20:15:00.000Z,0
CVE-2023-1299,https://securityvulnerability.io/vulnerability/CVE-2023-1299,Nomad Job Submitter Privilege Escalation Using Workload Identity,"A vulnerability exists in HashiCorp Nomad and Nomad Enterprise version 1.5.0 that allows a job submitter to escalate their privileges to management-level access via the workload identity feature and task API. This can lead to unauthorized actions and modifications within the Nomad environment. The issue has been addressed in version 1.5.1, making it crucial for users to update and secure their systems.",HashiCorp,"Nomad,Nomad Enterprise",8.8,HIGH,0.0008699999889358878,false,,false,false,false,,,false,false,,2023-03-14T15:15:00.000Z,0
CVE-2023-24999,https://securityvulnerability.io/vulnerability/CVE-2023-24999,Vault Fails to Verify if the AppRole SecretID Belongs to Role During a Destroy Operation,"A security issue in HashiCorp Vault's approle authorization method allows any authenticated user with the ability to access the approle destroy endpoint to eliminate the secret ID of any other role. This is accomplished by passing the secret ID accessor, leading to potential unauthorized access and manipulation of sensitive credentials. It is crucial for users of affected Vault versions to upgrade to the patched releases to mitigate this risk.",HashiCorp,"Vault,Vault Enterprise",8.1,HIGH,0.0012000000569969416,false,,false,false,false,,,false,false,,2023-03-11T00:15:00.000Z,0
CVE-2023-0690,https://securityvulnerability.io/vulnerability/CVE-2023-0690,Boundary Workers Store Rotated Credentials in Plaintext Even When a Key Management Service Configured,"A vulnerability in HashiCorp Boundary versions 0.10.0 through 0.11.2 can lead to credentials being stored in plaintext. When using a PKI-based worker with a configured Key Management Service (KMS), new credentials created after automatic rotation may not be encrypted as intended, resulting in sensitive information being written to disk without adequate protection. This severe oversight necessitates immediate attention, as it can expose critical credentials to unauthorized access.",HashiCorp,Boundary,7.1,HIGH,0.0004400000034365803,false,,false,false,false,,,false,false,,2023-02-08T19:15:00.000Z,0
CVE-2022-42717,https://securityvulnerability.io/vulnerability/CVE-2022-42717,Local Privilege Escalation Vulnerability in Hashicorp Packer on Linux,"An issue in Hashicorp Packer prior to version 2.3.1 allows local privilege escalation through an insecure sudoers configuration for Vagrant on Linux. When a host is set up according to the recommended documentation, non-privileged users may exploit a wildcard in the sudoers file to execute arbitrary commands as the root user. This vulnerability underscores the need for careful review of the sudoers configuration to prevent unauthorized access and control.",Hashicorp,Vagrant,7.8,HIGH,0.0004400000034365803,false,,false,false,false,,,false,false,,2022-10-11T23:15:00.000Z,0
CVE-2021-41803,https://securityvulnerability.io/vulnerability/CVE-2021-41803,Input Validation Flaw in HasciCorp Consul Leading to JWT Claim Vulnerabilities,"An input validation error has been identified in HashiCorp Consul versions ranging from 1.8.1 to 1.11.8, as well as 1.12.4 and 1.13.1. The vulnerability arises when node or segment names are not adequately validated before being interpolated in JSON Web Token (JWT) claim assertions during the auto configuration remote procedure call (RPC). This oversight can potentially lead to unauthorized access or manipulation of sensitive data. Users are advised to update to fixed versions 1.11.9, 1.12.5, or 1.13.2 to secure their deployments against this issue.",Hashicorp,Consul,7.1,HIGH,0.002369999885559082,false,,false,false,false,,,false,false,,2022-09-23T00:00:00.000Z,0
CVE-2022-40186,https://securityvulnerability.io/vulnerability/CVE-2022-40186,Identity Engine Vulnerability in HashiCorp Vault Affects Multiple Mount Accessors,"A vulnerability was identified in HashiCorp Vault and Vault Enterprise versions prior to 1.11.3 within the Identity Engine. In scenarios where an entity utilizes multiple mount accessors sharing identical alias names, the system may incorrectly overwrite metadata, linking it to the wrong alias. This flaw compromises access pathways to key/value data based on incorrect metadata assignments, potentially leading to unauthorized data exposure.",Hashicorp,Vault,9.1,CRITICAL,0.0011599999852478504,false,,false,false,false,,,false,false,,2022-09-22T00:00:00.000Z,0
CVE-2022-36130,https://securityvulnerability.io/vulnerability/CVE-2022-36130,Privilege Escalation Vulnerability in HashiCorp Boundary,"HashiCorp Boundary versions prior to 0.10.2 exhibit a vulnerability where data integrity checks were inadequately performed. This oversight permitted authorized users to gain access to resources associated with different scopes, leading to a potential privilege escalation scenario. The issue was addressed in version 0.10.2, which rectified the integrity checks, enhancing the security posture of the application.",Hashicorp,Boundary,9.9,CRITICAL,0.0010400000028312206,false,,false,false,false,,,false,false,,2022-09-01T01:45:00.000Z,0
CVE-2022-38149,https://securityvulnerability.io/vulnerability/CVE-2022-38149,Data Exposure Vulnerability in HashiCorp Consul Template,"The vulnerability in HashiCorp Consul Template allows for the potential exposure of sensitive Vault secrets when improperly processing templates that utilize these secrets. It occurs in specific versions where the method *template.Template.Execute can leak secret data through error messages. This incident highlights the critical importance of proper input validation and the need for secure coding practices to safeguard sensitive information. The issue has been addressed in newer versions, reinforcing the necessity for users to update their installations to mitigate this risk effectively.",Hashicorp,Consul Template,7.5,HIGH,0.0015800000401213765,false,,false,false,false,,,false,false,,2022-08-17T14:30:53.000Z,0
CVE-2022-36129,https://securityvulnerability.io/vulnerability/CVE-2022-36129,Unauthenticated API Vulnerability in HashiCorp Vault Enterprise,"An unauthenticated API endpoint exists in HashiCorp Vault Enterprise clusters utilizing Integrated Storage, affecting versions 1.7.0 to 1.9.7, 1.10.4, and 1.11.0. This vulnerability enables an attacker to manipulate the voter status of nodes within a high availability (HA) cluster, potentially leading to future data loss or severe operational failures. To mitigate this risk, users are urged to upgrade to Vault Enterprise versions 1.9.8, 1.10.5, or 1.11.1.",Hashicorp,Vault,9.1,CRITICAL,0.001879999996162951,false,,false,false,false,,,false,false,,2022-07-26T23:15:00.000Z,0