hashicorp

208 tracked vulnerabilities.

CVE-2025-6203 HIGH
HashiCorp Vault 1.15.0-1.16.26, 1.17.0-1.20.2 - Denial of Service via Complex JSON Payloads
Aug 28, 2025
CVSS 7.5
EPSS 0.01
CVE-2025-8959 HIGH
HashiCorp go-getter < 1.7.9 - Unauthorized Read Access via Symlink Attack
Aug 15, 2025
CVSS 7.5
EPSS 0.01
CVE-2025-6013 MEDIUM
Vault 1.10.0-1.15.15, 1.16.0-1.19.7, 1.20.0-1.20.1 - MFA Enforcement Bypass via LDAP Username Alias Whitespace
Aug 06, 2025
CVSS 6.5
EPSS 0.01
CVE-2025-6037 MEDIUM
HashiCorp Vault < 1.20.1, 1.19.7, 1.18.12, 1.16.23 - Improper Certificate Validation in TLS Certificate Auth Method
Aug 01, 2025
CVSS 6.8
EPSS 0.00
CVE-2025-6015 MEDIUM
HashiCorp Vault 1.10.0-1.16.22, 1.17.0-1.19.6, 1.20.0 - Authentication Bypass via MFA Bypass
Aug 01, 2025
CVSS 5.7
EPSS 0.00
CVE-2025-6014 MEDIUM
HashiCorp Vault < 1.20.1 - TOTP Secrets Engine Code Reuse
Aug 01, 2025
CVSS 6.5
EPSS 0.00
CVE-2025-6011 LOW
HashiCorp Vault < 1.20.1 and 1.16.23 - Timing Side Channel in Userpass Auth Method
Aug 01, 2025
CVSS 3.7
EPSS 0.00
CVE-2025-6004 MEDIUM
HashiCorp Vault 1.13.0-1.16.22, 1.17.0-1.19.6, 1.20.0 - User Lockout Bypass via Userpass and LDAP Authentication
Aug 01, 2025
CVSS 5.3
EPSS 0.00
CVE-2025-6000 CRITICAL
HashiCorp Vault 0.8.0-1.16.22, 1.17.0-1.19.6, 1.20.0 - Authenticated RCE via Plugin Directory
Aug 01, 2025
CVSS 9.1
EPSS 0.01
CVE-2025-5999 HIGH
HashiCorp Vault 0.10.4-1.19.5 Privilege Escalation via Root Namespace Identity Endpoint
Aug 01, 2025
CVSS 7.2
EPSS 0.00
CVE-2025-4656 LOW
HashiCorp Vault DoS via Recovery Key Cancellation
Jun 25, 2025
CVSS 3.1
EPSS 0.00
CVE-2025-4922 HIGH
Nomad 1.4.0-1.10.1 - Incorrect Privilege Assignment via Prefix-Based ACL Policy Lookup
Jun 11, 2025
CVSS 8.1
EPSS 0.00
CVE-2025-3744 HIGH
Nomad Enterprise < 1.8.13 - Policy Override Bypass in Job Submissions
May 13, 2025
CVSS 7.6
EPSS 0.00
CVE-2025-3879 MEDIUM
HashiCorp Vault - Incorrect Authorization via Azure Auth Method Bound Location Bypass
May 02, 2025
CVSS 6.6
EPSS 0.00
CVE-2025-4166 MEDIUM
HashiCorp Vault 0.3.0-1.19.2 and OpenBAO < 2.2.2 - Sensitive Information Exposure in KV v2 Plugin Error Logs
May 02, 2025
CVSS 4.5
EPSS 0.00
CVE-2025-1296 MEDIUM
Nomad 1.0.0-1.7.18, 1.8.0-1.9.6 - Sensitive Token Exposure in Audit Logs
Mar 10, 2025
CVSS 6.5
EPSS 0.00
CVE-2025-1293 HIGH
Hermes < 0.5.0 - Authentication Bypass via Improper AWS ALB JWT Validation
Feb 20, 2025
CVSS 8.2
EPSS 0.00
CVE-2025-0937 HIGH
Nomad 1.0.0-1.7.17 and 1.8.0-1.9.5 - Incorrect Authorization via Wildcard Namespace Event Stream
Feb 12, 2025
CVSS 7.1
EPSS 0.00
CVE-2025-0377 HIGH
HashiCorp's go-slug - Path Traversal
Jan 21, 2025
CVSS 7.5
EPSS 0.01
CVE-2024-12678 MEDIUM
Nomad 1.4.0-1.7.15, 1.8.0-1.9.3 - Privilege Escalation via Unredacted Workload Identity Token
Dec 20, 2024
CVSS 6.5
EPSS 0.01
CVE-2024-12289 MEDIUM
Boundary 0.8.0-0.16.3 and 0.17.0-0.18.1 - Denial of Service via Controller Initialization HTTP Request Handling
Dec 12, 2024
CVSS 5.9
EPSS 0.00
CVE-2024-10975 HIGH
Nomad 1.3.0-1.7.14, 1.8.0-1.9.1 - Unauthorized Cross-Namespace Volume Creation via CSI Write Permission
Nov 07, 2024
CVSS 7.7
EPSS 0.00
CVE-2024-8185 HIGH
HashiCorp Vault 1.2.0-1.18.0 and OpenBAO < 2.0.3 - Denial of Service via Raft Cluster Join API Endpoint
Oct 31, 2024
CVSS 7.5
EPSS 0.00
CVE-2024-10086 MEDIUM
Consul 1.4.1-1.15.14, 1.16.0-1.19.9 - Reflected Cross-Site Scripting via Content-Type Header Manipulation
Oct 30, 2024
CVSS 6.1
EPSS 0.00
CVE-2024-10006 HIGH
Consul 1.4.1-1.20.0 and 1.9.0-1.15.14 - HTTP Header Bypass via L7 Traffic Intentions
Oct 30, 2024
CVSS 8.3
EPSS 0.00