189 matches found
Vault Renewed Nearly-Expired Leases With Incorrect Non-Expiring TTLs
Summary Vault and Vault Enterprise “Vault” allowed the renewal of nearly-expired token leases and dynamic secret leases specifically, those within 1 second of their maximum TTL, which caused them to be incorrectly treated as non-expiring during subsequent use. This vulnerability, CVE-2021-32923,...
Nomad Bridge Networking Mode Allows ARP Spoofing From Other Bridged Tasks On Same Node
Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that Nomad’s bridge networking mode allows ARP spoofing from other bridged tasks on the same node. This vulnerability, CVE-2021-32575, affects all Nomad versions up to 1.0.4, and is fixed in the 0.12.12, 1.0.5 and...
Vault GitHub Action Did Not Correctly Mask Multi-Line Secrets In Output
Summary The Vault GitHub Action, vault-action or vault-secrets “vault-action”, did not correctly mask multi-line secrets in its output. This vulnerability, CVE-2021-32074, was fixed in vault-action 2.2.0. Background The Vault GitHub Action, vault-action...
Terraform’s Vault Provider Did Not Correctly Configure Bound Labels for GCP Auth
Summary Terraform’s Vault Provider terraform-provider-vault did not correctly configure GCE-type bound labels for Vault’s GCP auth method. This vulnerability, CVE-2021-30476, was fixed in terraform-provider-vault 2.19.1. Background Terraform’s Vault Provider...
Vault’s Cassandra Integrations Did Not Validate TLS Certificates
Summary Vault and Vault Enterprise “Vault” Cassandra integrations, a Vault storage backend and database secrets engine plugin, did not validate TLS certificates when connecting to Cassandra clusters. This vulnerability, CVE-2021-27400, was fixed in Vault and Vault Enterprise 1.6.4 and 1.7.1...
Vault’s PKI Engine CRL May Exclude Revoked But Unexpired Certificates After Tidy
Summary Vault and Vault Enterprise “Vault” PKI Secrets Engine tidy functionality may cause Vault to exclude revoked-but-unexpired certificates from the Vault CRL. This vulnerability, CVE-2021-29653, was fixed in Vault and Vault Enterprise 1.5.8, 1.6.4, and 1.7.1. Background The Vault PKI Secrets...
Consul Enterprise Audit Log Bypass for HTTP Events
Summary A vulnerability was identified in Consul Enterprise such that a specially crafted HTTP request can be used to bypass the audit log for HTTP events. This vulnerability, CVE-2021-28156, affects Consul Enterprise versions 1.8.0 up to 1.9.4, and is fixed in the 1.9.5 and 1.8.10 releases...
Consul API KV Endpoint Vulnerable to Cross-Site Scripting
Summary A vulnerability was identified in Consul and Consul Enterprise “Consul” such that a specially crafted key-value entry could be used to perform a cross-site scripting XSS attack when viewed in Consul KV API’s raw mode. This vulnerability, CVE-2020-25864, affects all Consul versions up to...
Terraform Enterprise Organization-Level MFA Requirement Was Not Enforced
Summary Terraform Enterprise did not enforce the organization-level setting to require all users within an organization to enable two-factor authentication. This vulnerability, CVE-2021-3153, was fixed in Terraform Enterprise v202103-1. Background Terraform Enterprise organizations are a shared...
Vault Enterprise’s DR Secondaries Exposed License Metadata Without Authentication
Summary Vault Enterprise’s /sys/license endpoint allowed the read of license metadata from Vault DR secondaries without authentication. This vulnerability, CVE-2021-27668, was fixed in Vault Enterprise 1.6.3. Background Vault Enterprise nodes expose the /sys/license API endpoint for access to and...
Vault Enterprise’s DR Secondaries Allowed Raft Peer Removal Without Authentication
Summary Vault Enterprise 1.6.0 and 1.6.1 allowed the remove-peer raft operator command to be executed against DR secondaries without authentication. This vulnerability, CVE-2021-3282, was fixed in Vault Enterprise 1.6.2. Background Vault Enterprise clusters configured with integrated storage also...
Vault API Endpoint Allowed Enumeration of Secrets Engine Mount Paths Without Authentication
Summary Vault and Vault Enterprise “Vault” allowed the enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. This vulnerability, CVE-2020-25594, was fixed in Vault 1.6.2 & 1.5.7. Background Vault operators are able to mount Secrets Engines at customizable paths. Secrets...
Vault API Endpoint Exposed Internal IP Address Without Authentication
Summary Vault and Vault Enterprise “Vault” would disclose the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. This vulnerability, CVE-2021-3024, was fixed in Vault 1.6.2 & 1.5.7. Background Vault’s API is the primary means by which a Vault nod...
Nomad’s Exec and Java Task Drivers Did Not Isolate Processes
Summary Nomad and Nomad Enterprise “Nomad” exec and java task drivers may allow a malicious task to access information regarding processes associated with other tasks on the same node. This vulnerability, CVE-2021-3283, affects all prior Nomad versions and is fixed in the 0.12.10 and 1.0.3...
Vault’s LDAP Auth Method Allows User Enumeration
Summary Vault and Vault Enterprise “Vault” allowed enumeration of users via the LDAP auth method. This vulnerability, CVE-2020-35177, was introduced in Vault 1.4.1 and fixed in Vault 1.6.1 and 1.5.6. Background The Vault LDAP auth method documented at LDAP - Auth Methods | Vault by HashiCorp allo...
Vault Enterprise’s Sentinel EGP Policies May Impact Parent or Sibling Namespaces
Summary Vault Enterprise Sentinel EGP policies should be constrained to the namespace in which they’re applied, or to children namespaces. Incorrect parsing of the supplied path, when configuring EGP policies, allowed them to process requests in parent and sibling namespaces. This vulnerability,...
Nomad File Sandbox Escape via Container Volume Mount
Summary A vulnerability, CVE-2020-28348, was discovered in Nomad and Nomad Enterprise “Nomad” such that an operator with job submission capabilities can mount the host file system of a client agent and subvert the default Docker file sandbox feature when not explicitly disabled or when using a...
Consul Operator Read ACL Enables Connect Service Masquerading
Summary A vulnerability, CVE-2020-28053, was identified in Consul and Consul Enterprise “Consul” such that operators with operator:read ACL permissions were able to read the Consul Connect CA configuration including the private key. Background Consul Connect utilizes mutual TLS to establish servi...
Nomad File Sandbox Escape via Template and Artifact Stanzas
Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that a specially crafted Nomad jobspec can be used to escape the client file sandbox configuration. This vulnerability, CVE-2020-27195, affects version 0.9.0 up to 0.12.5, and is fixed in the 0.12.6, 0.11.5, and...
Vault Leases Created with Batch Tokens have Invalid Expiration
Summary HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. This vulnerability, CVE-2020-25816, was fixed in 1.4.7 and 1.5.4. Background Vault allows the issuance of batch...
Consul Enterprise Namespace Config Entry Replication Denial of Service
Summary Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause infinite Raft writes. This vulnerability, CVE-2020-25201, was fixed in 1.7.9 and 1.8.5. Background Consul Enterprise namespaces enable organizational multi-tenancy so that...
Vault SSH Helper Validated IP Addresses Incorrectly
Summary vault-ssh-helper up to and including version 0.1.6 incorrectly accepted Vault-issued SSH OTPs for the subnet in which a host’s network interface was located, rather than the specific IP address assigned to that interface. Assigned CVE-2020-24359 and fixed in 0.1.7. Background...
Vault’s GCP Auth Method Allows Authentication Bypass
Summary A vulnerability was identified in Vault and Vault Enterprise “Vault” such that, with the GCP Auth Method configured and under certain circumstances, the values relied upon by Vault to validate Google Compute Engine GCE VMs may be manipulated and authentication bypassed. This vulnerability...
Vault’s AWS Auth Method Allows Authentication Bypass
Summary A vulnerability was identified in Vault and Vault Enterprise “Vault” such that, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM identities and roles may be manipulated and authentication bypassed. This vulnerability,...
Terraform Enterprise Allowed Local Account Creation Bypassing SSO
Summary HashiCorp Terraform Enterprise up to v202006-1 contained a default signup page that allowed user registration even when disabled, bypassing SAML enforcement. This vulnerability, CVE-2020-15511, was fixed in v202007-1. Background Terraform Enterprise allowed single sign-on to be enabled vi...
Consul DNS and HTTP Cache Abuse Denial of Service
Summary Consul and Consul Enterprise include an HTTP API introduced in 1.2.0 and DNS introduced in 1.4.3 caching feature that was vulnerable to denial of service. This vulnerability, CVE-2020-13250, was fixed in Consul 1.6.6 and 1.7.4. Background Consul 1.2.0 introduced an agent cache to ease...
Vault Proxy Environment Variable Was Logged to STDOUT
Summary Vault and Vault Enterprise “Vault” logged proxy environment variables that potentially included sensitive credentials. This vulnerability, CVE-2020-13223, was fixed in Vault 1.3.6 and 1.4.2. Background Vault respects the HTTPPROXY and HTTPSPROXY environment variables. Details When HTTPPRO...
Consul Local ACL Token Can Be Used in Remote Datacenters
Summary Consul and Consul Enterprise “Consul” did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. This vulnerability, CVE-2020-13170, was introduced in Consul 1.4.0 and fixed in 1.6.6 and 1.7.4...
Consul Legacy ACL Permission Changes Not Propagated to Secondary Datacenters
Summary Consul and Consul Enterprise “Consul” failed to enforce changes to legacy ACL token rules due to non-propagation to secondary datacenters. This vulnerability, CVE-2020-12797, was introduced in Consul 1.4.0 and fixed in 1.6.6 and 1.7.4. Background Consul supports the replication of ACLs...
Consul Server Crash With Invalid Service-Router Config Entry
Summary HashiCorp Consul and Consul Enterprise “Consul” could crash when configured with an abnormally-formed service-router entry. This vulnerability, CVE-2020-12758, was introduced in Consul 1.6.0 and fixed in 1.6.6 and 1.7.4. Background Consul allows the definition of service-router...
Vault's GCP Secrets Engine Service Account Keys Not Enforcing Configured TTL
Summary Vault and Vault Enterprise versions 1.3.5/1.4.0 through 1.4.2, configured with the GCP Secrets Engine may, under certain circumstances, incorrectly generate GCP Credentials with the default time-to-live lease duration, instead of the engine configured setting. This may lead to generated G...
Nomad's Raw File View Vulnerable to Cross-Site Scripting
Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. This vulnerability, CVE-2020-10944, affects all Nomad versions since 0.3 and is fixed in the 0.10.5 release. Background...
Vault Enterprise Prefixed Mount Policies May Result In Unauthorized Namespace Access
Summary A vulnerability was identified in Vault Enterprise such that, under certain circumstances, existing nested-path policies may give access to Namespaces created after-the-fact. This vulnerability, CVE-2020-10661, affects Vault Enterprise versions 0.11 and newer and is fixed in 1.3.4...
Vault Auth Groups Not Removed In Certain Circumstances
Summary A vulnerability was identified in Vault and Vault Enterprise “Vault” such that, under certain circumstances, an Entity’s Group membership may inadvertently include external Groups the Entity no longer has permissions to. This vulnerability, CVE-2020-10660, affects Vault and Vault Enterpri...
Nomad's mTLS Authorization Mechanism Susceptible to Privilege Escalation
Summary Nomad and Nomad Enterprise “Nomad” up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Assigned CVE-2020-7956, this vulnerability was fixed in Nomad 0.10.3. Background Securing Nomad’s cluster...
Consul's Health Check API Endpoints May Disclose Information
Summary Consul and Consul Enterprise “Consul” did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. This vulnerability affected Consul versions 1.4.1 through 1.6.2 and was assigned CVE-2020-7955. Background Consul uses Access Control...
Vault Enterprise’s Dynamic Secrets May Persist After Namespace Deletion
Summary A vulnerability was identified in Vault Enterprise such that when deleting a namespace, in certain circumstances, the deletion process will fail to revoke dynamic secrets for a mount in that namespace. This vulnerability, CVE-2020-7220, affects Vault Enterprise 0.11.0 and newer and is fix...
Consul’s HTTP/RPC Services Allow Unbounded Resource Usage, Susceptible to Unauthenticated Denial of Service
Summary A vulnerability was identified in Consul and Consul Enterprise “Consul” such that unbounded resource usage, triggered by the establishment of many unauthenticated HTTP or RPC connections, may generate excessive load and/or crash the server. This vulnerability, CVE-2020-7219, affects all...
Nomad’s HTTP/RPC Services Allow Unbounded Resource Usage, Susceptible to Unauthenticated Denial of Service
Summary A vulnerability was identified in Nomad and Nomad Enterprise “Nomad” such that unbounded resource usage, triggered by the establishment of many unauthenticated HTTP or RPC connections, may generate excessive load and/or crash the server. This vulnerability, CVE-2020-7218, affects all...