189 matches found
Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation
Summary When using the Vault and Vault Enterprise Vault approle auth method, any authenticated user with access to the /auth/approle/role/:rolename/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-249...
Consul Server Panic when Ingress and API Gateways Configured with Peering Connections
Summary A vulnerability was identified in Consul and Consul Enterprise “Consul” an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability, CVE-2023-0845, was fixed in Consul...
Nomad Client Vulnerable to Decompression Bombs in Artifact Block
Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that a job submitted with a maliciously compressed source a.k.a “Zip Bomb” in an artifact stanza can cause excessive disk resource consumption, crashing a Nomad client agent. This vulnerability, CVE-2023-0821, was...
go-getter vulnerable to denial of service via malicious compressed archive
Summary HashiCorp’s go-getter library up to 1.6.2 and 2.1.1 is vulnerable to denial of service via a malicious compressed archive. This vulnerability CVE-2023-0475 was fixed in go-getter 1.7.0 and 2.2.0. Background HashiCorp’s go-getter is a Go library for downloading files or directories from...
Boundary Workers Store Rotated Credentials in Plaintext Even When Key Management Service Configured
Summary A vulnerability in Boundary was identified such that when a Key Management Service KMS was defined in Boundary’s configuration file with the intent of using the KMS to encrypt the credentials stored on disk, new credentials created after an automatic rotation may not have been encrypted v...
Vault, Consul, Boundary, and Waypoint Affected By Denial of Service in Go’s net/http (CVE-2022-41717)
Summary A denial of service vulnerability was reported in Golang’s net/http package. This vulnerability, CVE-2022-41717, was fixed in conjunction with another security issue in Go releases 1.18.9 and 1.19.4, and subsequently addressed with new releases of the affected HashiCorp products listed...
Consul Cluster Peering Leaks Imported Nodes/Services Information
Summary A vulnerability was identified in Consul and Consul Enterprise “Consul” such that the /v1/internal/ui/nodes and /v1/internal/ui/services HTTP endpoints do not properly filter information by ACL policies. This vulnerability, CVE-2022-3920, was fixed in Consul 1.14.0. Background Consul...
Nomad’s Event Stream Subscriber Using ACL Token with TTL Receive Updates Until Garbage Collected
Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that an event stream subscriber using an ACL token with an expiry TTL set would continue to receive events until the token was garbage collected. This vulnerability, CVE-2022-3867, was fixed in Nomad 1.4.2. Backgrou...
Nomad’s Workload Identity Token Can List Non-sensitive Metadata For nomad/ Paths
Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that a workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace.This vulnerability, CVE-2022-3866, was fixed in Nomad 1.4.2. Background Nomad’s...
Vault's TLS Cert Auth Method Only Loaded CRL After First Request
Summary Vault’s TLS certificate auth method did not initially load the optionally-configured CRL issued by the role’s CA into memory on startup, resulting in the revocation list not being checked, if the CRL has not yet been retrieved. This vulnerability, CVE-2022-41316, is fixed in Vault 1.12.0,...
Vagrant NFS sudoers Configuration Allows for Local Privilege Escalation
Summary Optional sudoers configuration for Vagrant NFS shared folders allows for local privilege escalation Background The documentation associated with Vagrant’s NFS driver for Linux suggested configuring a Vagrant host with a specific sudoers configuration, which removed the need for vagrant...
Nomad Panics On Job Submission With Bad Artifact Stanza Source URL
Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that a job submitted with an invalid S3 or GCS URL in an artifact stanza can cause a panic, crashing a Nomad client agent. This vulnerability, CVE-2022-41606, was fixed in Nomad 1.2.13, 1.3.6, and 1.4.0. Background...
Consul Service Mesh Intention Bypass with Malicious Certificate Signing Request
Summary A vulnerability was identified in Consul and Consul Enterprise “Consul” such that a specially crafted CSR sent directly to Consul’s internal server agent RPC endpoint can include multiple SAN URI values with additional service names. This vulnerability, CVE-2022-40716, was fixed in Consul...
Consul Auto-Config JWT Authorization Missing Input Validation
Summary A vulnerability was identified in Consul and Consul Enterprise “Consul” such that a specially crafted auto-config request allows TLS certificate and ACL token to be generated for a node name not intended by the operator. This vulnerability, CVE-2021-41803, was fixed in Consul 1.11.9,...
Vault Entity Alias Metadata May Leak Between Aliases With The Same Name Assigned To The Same Entity
Summary When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. This vulnerability,...
Boundary Allowed Access To Host Sets And Credential Sources For Authorized Users Of Another Scope
Summary HashiCorp Boundary versions up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct scopes, allowing potential privilege escalation for authorized users of another scope. This vulnerability, CVE-2022-36130, is fixed in Boundary...
Consul Template May Expose Vault Secrets When Processing Invalid Input
Summary A vulnerability was identified in Consul Template such that invalid template contents can reveal the contents of a Vault secret. This vulnerability, CVE-2022-38149, was fixed in Consul Template 0.27.3, 0.28.3, and 0.29.2. Background Consul Templates provides a programmatic method for...
Vault Enterprise Does Not Verify Existing Voter Status When Joining An Integrated Storage HA Node
Summary Vault Enterprise “Vault” clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. This vulnerability, CVE-2022-36129,...
Nomad Impacted by go-getter Vulnerabilities
Summary Vulnerabilities were identified in the go-getter library that Nomad and Nomad Enterprise “Nomad” uses for its artifacts such that a specially crafted Nomad jobspec can be used for privilege escalation onto client agent hosts. This combined exposure, CVE-2022-30324, affects Nomad versions...
Multiple Vulnerabilities In go-getter Library
Summary Multiple vulnerabilities were identified in HashiCorp’s go-getter library up to 1.5.11 and 2.0.2. These vulnerabilities CVE-2022-26945, CVE-2022-30321, CVE-2022-30322, CVE-2022-30323 were fixed in go-getter 1.6.1 and 2.1.0. Background HashiCorp’s go-getter is a Go library for downloading...
Vault’s Login MFA Configuration And Enforcement Not Reloaded After Restart
Summary A vulnerability was identified in Vault and Vault Enterprise “Vault” from 1.10.0 to 1.10.2 where MFA may not be enforced on user logins after a server restart. This vulnerability, CVE-2022-30689, was fixed in Vault 1.10.3. Background Vault provides a wide range authentication methods,...
Consul’s HTTP Health Check May Allow Server Side Request Forgery
Summary A vulnerability was identified in Consul and Consul Enterprise “Consul” such that HTTP health check endpoints returning an HTTP redirect may be abused as a vector for server-side request forgery SSRF. This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17, 1.10.10, and 1.11.5...
Vault PKI Secrets Engine Policy Results In Incorrect Wildcard Certificate Issuance
Summary Vault and Vault Enterprise “Vault” allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allowsubdomains is set to false. This vulnerability, CVE-2022-25243, was fixed in...
Vault Enterprise’s Tokenization Transform Configuration Endpoint May Expose Transform Key
Summary Vault Enterprise “Vault” clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with read permissions on this endpoint. This vulnerability, CVE-2022-25244, was fixed in Vault Enterprise...
Consul’s Connect Service Mesh Affected By Recent Envoy Security Releases
Summary Consul and Consul Enterprise “Consul” clusters using Consul Connect service mesh should be updated to adopt recent Envoy security releases. Consul’s 1.9 releases support only Envoy 1.16 and older, which are no longer supported and did not receive recent security fixes. Background Consul...
Terraform Enterprise May Capture Sensitive Data In Logs
Summary Terraform Enterprise was configured to log inbound HTTP requests in a manner that may capture sensitive data. This vulnerability, CVE-2022-25374, was fixed in Terraform Enterprise v202202-1. Background Terraform Enterprise TFE is an application that helps teams use Terraform together, wit...
Consul Ingress Gateway Panic Can Shutdown Servers
Summary Consul and Consul Enterprise “Consul” clusters with at least one Ingress Gateway allow a user with service:write permissions to register a specifically-defined service that will cause the Consul server to panic. This vulnerability, CVE-2022-24687, was fixed in Consul 1.9.15, 1.10.8, and...
Nomad Spread Job Stanza May Trigger Panic in Servers
Summary Nomad and Nomad Enterprise “Nomad” allows operators with job-submit capabilities to use the spread stanza in a way such that it can cause panic in Nomad servers. This vulnerability, CVE-2022-24684, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6. Background The spread stanza within a Nomad j...
Nomad Malformed Job Parsing Results in Excessive CPU Usage
Summary Nomad and Nomad Enterprise “Nomad” allows anyone with access to Nomad’s API to submit HCL formatted jobs for parsing to return the equivalent JSON. This endpoint allowed malformed HCL configuration to be evaluated, resulting in excessive CPU usage on Nomad server agents. This vulnerabilit...
Nomad alloc Filesystem and Container Escape
Summary Nomad and Nomad Enterprise “Nomad” allows operators with read-fs and alloc-exec or job-submit capabilities to read arbitrary files on the host filesystem as root through the Nomad client agent. This vulnerability, CVE-2022-24683, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6. Background...
Nomad Artifact Download Race Condition
Summary Nomad and Nomad Enterprise “Nomad” artifact download functionality had a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. This vulnerability, CVE-2022-24686, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6. Background Nomad uses th...
Vault, Consul, Boundary, and Waypoint Affected By Denial of Service in Golang’s net/http (CVE-2021-44716)
Summary A denial of service vulnerability was reported in Golang’s net/http package. This vulnerability, CVE-2021-44716, was fixed in conjunction with another security issue in Go releases 1.16.12 and 1.17.5, and subsequently addressed with new releases of the affected HashiCorp products listed...
Vault’s KV Secrets Engine With Integrated Storage Exposed to Authenticated Denial of Service
Summary It was reported that for Vault and Vault Enterprise “Vault” clusters using the Integrated Storage backend could be caused to crash by an authenticated user with write permissions to the KV secrets engine. This vulnerability, CVE-2021-45042, was fixed in Vault 1.7.7, 1.8.6, and 1.9.1...
HashiCorp Response to Apache Log4j 2 Security Issue (CVE-2021-44228)
Summary HashiCorp products and services have no known exposure to the Apache Log4j 2 security issue CVE-2021-44228 at this time. This bulletin will be updated if this situation changes. Background A high severity vulnerability impacting multiple versions of Apache Log4j 2 , CVE-2021-44228 , was...
Nomad QEMU Task Driver Allowed Paths Bypass with Job Args
Summary Nomad and Nomad Enterprise “Nomad”, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed paths for images. This vulnerability, CVE-2021-43415, was fixed in Nomad 1.0.14, 1.1.8, and 1.2.1. Background Nomad provides...
Vault's Templated ACL Policies Matched First-Created Alias Per Entity and Auth Backend
Summary Vault and Vault Enterprise “Vault” templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. This vulnerability, CVE-2021-43998, was fixed...
Consul Enterprise Namespace Default ACLs Allow Privilege Escalation
Summary A vulnerability was identified in Consul Enterprise such that an ACL token with the default operator:write permissions in one namespace may be used to escalate privileges into any other permissions across all namespaces. This vulnerability, CVE-2021-41805, was fixed in Consul Enterprise...
Vault's Google Cloud Secrets Engine Policies With Globs May Provide Additional Privileges in Vault 1.8.0 Onwards
Summary The Google Cloud secrets engine in Vault or Vault Enterprise “Vault” 1.8.0 and above may provide users, under specific conditions, with more privileges than in prior versions. Due to changes in the underlying functionality of the Google Cloud secrets engine, policies that use globs may...
Vault Merging Multiple Entity Aliases for the Same Mount May Allow Privilege Escalation
Summary A Vault or Vault Enterprise “Vault” user with write permission to an entity alias ID sharing a mount accessor with another user may acquire this other user’s policies by merging their identities. This vulnerability, CVE-2021-41802, was fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4...
Nomad Denial Of Service Via Submission Of Incomplete Job Specification Using Consul Mesh Gateway & Host Network
Summary Nomad and Nomad Enterprise “Nomad” allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. This vulnerability, CVE-2021-41865, was fixed in Nomad 1.1.6...
Terraform Enterprise Configuration Versions API Discloses Sensitive URL
Summary Terraform Enterprise versions up to v202108-1 included a sensitive URL in specific responses to the Configuration Versions API, allowing potential privilege escalation or configuration manipulation. This vulnerability, CVE-2021-40862, was fixed in Terraform Enterprise v202109-1. Backgroun...
Consul Missing Authorization Check on Txn.Apply Endpoint
Summary A vulnerability was identified in Consul and Consul Enterprise “Consul” such that anyone with service:write permissions for any service would be allowed to register a proxy for any other service. This vulnerability, CVE-2021-38698, was fixed in Consul and Consul Enterprise 1.8.15, 1.9.9,...
Consul Exposed to Denial of Service in GoGo Protobuf Dependency
Summary Consul and Consul Enterprise “Consul” were vulnerable to denial of service due to a flaw in the gogo/protobuf module used for Consul’s protocol buffer support. This vulnerability, CVE-2021-3121, was addressed in Consul and Consul Enterprise 1.8.15, 1.9.9 and 1.10.2. Background Consul has ...
Consul Raft RPC Privilege Escalation
Summary A vulnerability was identified in Consul and Consul Enterprise “Consul” such that anyone with a certificate signed by the CA can escalate privileges by directly communicating with the Consul server’s Raft RPC layer. This vulnerability, CVE-2021-37219, was fixed in Consul and Consul...
Nomad Raft RPC Privilege Escalation
Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that client agents can escalate privileges by directly communicating with the server agent’s Raft RPC layer. This vulnerability, CVE-2021-37218, was fixed in Nomad 1.0.10 and 1.1.4. Background Nomad uses mTLS for...
Vault’s Integrated Storage Backend Database File May Have Excessively Broad Permissions
Summary When initializing Vault’s Integrated Storage backend, excessively broad filesystem permissions may be set for the underlying Bolt database used by Vault’s Raft implementation. This vulnerability, CVE-2021-38553, was fixed in Vault 1.8.0. Background Vault’s Integrated Storage was introduce...
Vault’s UI Cached User-Viewed Secrets Between Shared Browser Sessions
Summary The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will b...
Terraform Enterprise Allowed Privilege Escalation Via Run Token
Summary Terraform Enterprise versions up to v202106-1 did not perform proper authorization checks for a subset of API requests performed using the run token, allowing for privilege escalation. This vulnerability, CVE-2021-36230, was fixed in Terraform Enterprise v202107-1. Background All Terrafor...
Consul’s Envoy TLS Configuration Did Not Validate Destination Service Subject Alternative Names
Summary A vulnerability was identified in Consul and Consul Enterprise “Consul” such that the Envoy proxy configuration for Consul Connect does not mutually verify the destination service identity. This vulnerability, CVE-2021-32574, affects Consul versions 1.3.0 up to 1.10.0, and is fixed in the...
Consul’s Application-Aware Intentions Deny Action Fails Open When Combined With Default Deny Policy
Summary A vulnerability was identified in Consul and Consul Enterprise “Consul” such that using defaultpolicy = "deny" with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. This vulnerability, CVE-2021-36213,...