Authentication Bypass

github.com/hashicorp/terraform-provider-vault is vulnerable to Authentication Bypass. The vulnerability is due to the default denynullbind parameter being set to false in the LDAP auth method, which allows an attacker to authenticate using anonymous or unauthenticated binds when the LDAP server...

Insecure Default Initialization of Resource

Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource in that the denynullbind parameter in LDAP authentication is false by default if it is not set in a config. An attacker can gain unauthorized access by exploiting LDAP servers that permit...

EUVD-2021-17399

Malware in sbrugna...

CVE-2021-30476

HashiCorp Terraform’s Vault Provider terraform-provider-vault did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1...

CVE-2021-30476

HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method, enabling an overly permissive binding. Root cause: misconfiguration in bound labels. Affected version range is not specified in the provided details; reme...