pkg:Go/github.com/hashicorp/vault

All known vulnerabilities

• CRITICAL9.8CVE-2020-25816Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault
  >= 1.0.0, < 1.5.4
• CRITICAL9.8CVE-2020-25816Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault
  >= 1.0.0-beta1, < 1.5.4
• CRITICAL9.8HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0 in github.com/hashicorp/vault
  >= 1.4.0, < 1.8.0
• CRITICAL9.8HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0 in github.com/hashicorp/vault
  >= 1.4.0, < 1.8.0
• CRITICAL9.1Arbitrary Remote Code Execution via Plugin Catalog Abuse
  >= 0.8.0, < 1.20.1
• CRITICAL9.1Arbitrary Remote Code Execution via Plugin Catalog Abuse
  >= 0.8.0, < 1.20.1
• CRITICAL9.1HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault
  >= 0.11.0, < 1.3.4
• CRITICAL9.1HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault
  >= 0.11.0, < 1.3.4
• CRITICAL9.1HashiCorp Vault vulnerable to incorrect metadata access in github.com/hashicorp/vault
  >= 1.8.0, < 1.9.9, >= 1.10.0, < 1.10.6, >= 1.11.0, < 1.11.3
• CRITICAL9.1HashiCorp Vault vulnerable to incorrect metadata access in github.com/hashicorp/vault
  >= 1.11.0, < 1.11.3
• CRITICAL9.1HashiCorp Vault Incorrect Permission Assignment for Critical Resource in github.com/hashicorp/vault
  >= 0.11.0, < 1.7.6, >= 1.8.0, < 1.8.5
• CRITICAL9.1HashiCorp Vault Incorrect Permission Assignment for Critical Resource in github.com/hashicorp/vault
  >= 0.11.0, < 1.7.6
• HIGH8.2HashiCorp Vault Authentication bypass in github.com/hashicorp/vault
  >= 0.8.3, < 1.2.5
• HIGH8.2HashiCorp Vault Authentication bypass in github.com/hashicorp/vault
  >= 0.8.3, < 1.2.5, >= 1.3.0, < 1.3.8, >= 1.4.0, < 1.4.4, >= 1.5.0, < 1.5.1
• HIGH8.2Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault
  >= 0.8.1, < 1.2.5, >= 1.3.0, < 1.3.8, >= 1.4.0, < 1.4.4, >= 1.5.0, < 1.5.1
• HIGH8.2Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault
  >= 0.8.1, < 1.2.5
• HIGH8.1Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service
  >= 0.10.0, <= 1.21.4
• HIGH8.1Vault AWS auth method bypass due to AWS client cache
  >= 0.6.0, < 1.21.0
• HIGH8.1Vault AWS auth method bypass due to AWS client cache
  >= 0.6.0, < 1.21.0
• HIGH8.1Vault Cert Auth Method Did Not Correctly Validate Non-CA Certificates
  from 0, < 1.14.10, >= 1.15.0, < 1.15.5
• HIGH8.1Vault Cert Auth Method Did Not Correctly Validate Non-CA Certificates
  >= 1.15.0, < 1.15.5
• HIGH8.1Vault Fails to Verify if the AppRole SecretID Belongs to Role During a Destroy Operation
  from 0, < 1.10.11
• HIGH8.1Vault Fails to Verify if the AppRole SecretID Belongs to Role During a Destroy Operation
  from 0, < 1.10.11, >= 1.11.0, < 1.11.8, >= 1.12.0, < 1.12.4
• HIGH8.1Incorrect Privilege Assignment in HashiCorp Vault in github.com/hashicorp/vault
  >= 1.8.0, < 1.8.5
• HIGH8.1Incorrect Privilege Assignment in HashiCorp Vault in github.com/hashicorp/vault
  >= 1.8.0, <= 1.8.4
• HIGH7.6Vault's Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets
  from 0, < 1.13.0
• HIGH7.6Vault's Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets
  from 0, < 1.13.0
• HIGH7.5Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations
  from 0, <= 1.21.4
• HIGH7.5Vault Token Leaked to Backends via Authorization: Bearer Passthrough Header
  >= 0.11.2, <= 1.21.4
• HIGH7.5Vault Vulnerable to Denial of Service Due to Rate Limit Regression
  >= 1.20.3, < 1.21.0
• HIGH7.5Vault Vulnerable to Denial of Service Due to Rate Limit Regression
  >= 1.20.3, < 1.21.0
• HIGH7.5Vault unauthenticated denial of service through complex json payload
  from 0, < 1.20.3
• HIGH7.5Vault unauthenticated denial of service through complex json payload
  from 0, < 1.20.3
• HIGH7.5Vault Vulnerable to Denial of Service When Processing Raft Join Requests
  >= 1.2.0, < 1.18.1
• HIGH7.5Vault Vulnerable to Denial of Service When Processing Raft Join Requests
  >= 1.2.0, < 1.18.1
• HIGH7.5Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default
  >= 1.7.7, < 1.17.6
• HIGH7.5Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default
  >= 1.7.7, < 1.17.6
• HIGH7.5Vault Vulnerable to Denial of Service When Setting a Proxy Protocol Behavior
  >= 1.10.0, < 1.15.12
• HIGH7.5Vault Vulnerable to Denial of Service When Setting a Proxy Protocol Behavior
  >= 1.10.0, < 1.16.3, >= 1.17.0-rc1, < 1.17.2
• HIGH7.5Improper Authentication in HashiCorp Vault in github.com/hashicorp/vault
  >= 1.6.0, < 1.6.2
• HIGH7.5Improper Authentication in HashiCorp Vault in github.com/hashicorp/vault
  >= 1.6.0, < 1.6.2
• HIGH7.5Vault May be Vulnerable to a Denial of Service Through Memory Exhaustion When Handling Large HTTP Requests
  >= 1.15.0, < 1.15.4
• HIGH7.5Vault May be Vulnerable to a Denial of Service Through Memory Exhaustion When Handling Large HTTP Requests
  >= 1.12.0, < 1.13.12, >= 1.14.0, < 1.14.8, >= 1.15.0, < 1.15.4
• HIGH7.5Vault Requests Triggering Policy Checks May Lead To Unbounded Memory Consumption
  from 0, < 1.13.10
• HIGH7.5Vault Requests Triggering Policy Checks May Lead To Unbounded Memory Consumption
  from 0, < 1.13.10, >= 1.14.0, < 1.14.6, >= 1.15.0, < 1.15.2
• HIGH7.5Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault
  >= 0.11.0, < 1.3.2
• HIGH7.5Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault
  >= 0.11.0, < 1.3.2
• HIGH7.5Information Disclosure in HashiCorp Vault in github.com/hashicorp/vault
  >= 1.3.0, < 1.3.6
• HIGH7.5Information Disclosure in HashiCorp Vault in github.com/hashicorp/vault
  >= 1.3.0, < 1.3.6, >= 1.4.0, < 1.4.2
• HIGH7.4Invalid session token expiration in github.com/hashicorp/vault
  >= 1.7.0, < 1.7.2
• HIGH7.4Invalid session token expiration in github.com/hashicorp/vault
  >= 0.10.0, < 1.5.9, >= 1.6.0, < 1.6.5, >= 1.7.0, < 1.7.2
• HIGH7.2Vault Root Namespace Operator May Elevate Token Privileges
  >= 0.10.4, < 1.20.0
• HIGH7.2Vault Root Namespace Operator May Elevate Token Privileges
  >= 0.10.4, < 1.20.0
• HIGH7.2Vault Operators in Root Namespace May Elevate Their Privileges
  from 0, < 1.18.0
• HIGH7.2Vault Operators in Root Namespace May Elevate Their Privileges
  from 0, < 1.18.0
• MEDIUM6.8Vault Certificate Auth Method Did Not Validate Common Name For Non-CA Certificates
  from 0, < 1.20.1
• MEDIUM6.8Vault Certificate Auth Method Did Not Validate Common Name For Non-CA Certificates
  from 0, < 1.20.1
• MEDIUM6.8Vault's Transit Secrets Engine Allowed Nonce Specified without Convergent Encryption
  >= 1.6.0, < 1.12.11
• MEDIUM6.8Vault's Transit Secrets Engine Allowed Nonce Specified without Convergent Encryption
  >= 1.6.0, < 1.12.11, >= 1.13.0, < 1.13.7, >= 1.14.0, < 1.14.3
• MEDIUM6.7Vault Vulnerable to SQL Injection When Configuring the Microsoft SQL Database Storage Backend
  >= 0.8.0, < 1.11.9, >= 1.12.0, < 1.12.5, >= 1.13.0, < 1.13.1
• MEDIUM6.7Vault Vulnerable to SQL Injection When Configuring the Microsoft SQL Database Storage Backend
  >= 0.8.0, < 1.11.9
• MEDIUM6.6Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login
  >= 1.10.0, < 1.19.1
• MEDIUM6.6Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login
  >= 1.10.0, < 1.19.1
• MEDIUM6.5Vault LDAP MFA Enforcement Bypass When Using Username As Alias
  from 0, < 1.20.2
• MEDIUM6.5Vault LDAP MFA Enforcement Bypass When Using Username As Alias
  from 0, < 1.20.2
• MEDIUM6.5Vault TOTP Secrets Engine Code Reuse
  from 0, < 1.20.1
• MEDIUM6.5Vault TOTP Secrets Engine Code Reuse
  from 0, < 1.20.1
• MEDIUM6.5Vault Leaks AppRole Client Tokens And Accessor in Audit Log
  >= 1.17.3, < 1.17.5
• MEDIUM6.5Vault Leaks AppRole Client Tokens And Accessor in Audit Log
  >= 1.17.3, < 1.17.5
• MEDIUM6.5Enumeration of users in HashiCorp Vault in github.com/hashicorp/vault
  >= 1.5.0, < 1.5.6
• MEDIUM6.5Enumeration of users in HashiCorp Vault in github.com/hashicorp/vault
  >= 1.5.0, < 1.5.6, >= 1.6.0, < 1.6.1
• MEDIUM6.5Vault PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata
  from 0, < 1.11.9
• MEDIUM6.5Vault PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata
  from 0, < 1.11.9, >= 1.12.0, < 1.12.5, >= 1.13.0, < 1.13.1
• MEDIUM6.4Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses
  from 0, < 1.16.0
• MEDIUM6.4Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses
  from 0, < 1.16.0
• MEDIUM5.7Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse
  >= 1.10.0, < 1.20.1
• MEDIUM5.7Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse
  >= 1.10.0, < 1.20.1
• MEDIUM5.3Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS
  >= 1.14.0, <= 1.21.4
• MEDIUM5.3Vault Userpass and LDAP User Lockout Bypass
  >= 1.13.0, < 1.20.1
• MEDIUM5.3Vault Userpass and LDAP User Lockout Bypass
  >= 1.13.0, < 1.20.1
• MEDIUM5.3HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault
  >= 0.9.0, < 1.3.4
• MEDIUM5.3HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault
  >= 0.9.0, < 1.3.4
• MEDIUM5.3Vault's LDAP Auth Method Allows for User Enumeration
  from 0, < 1.13.5, >= 1.14.0, < 1.14.1
• MEDIUM5.3Vault's LDAP Auth Method Allows for User Enumeration
  from 0, < 1.13.5
• MEDIUM5.3HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault
  from 0, < 1.9.10, >= 1.10.0, < 1.10.7, >= 1.11.0, < 1.11.4
• MEDIUM5.3HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault
  >= 1.11.0, < 1.11.4
• MEDIUM5.3HashiCorp Vault improper configuration of multi factor authentication in github.com/hashicorp/vault
  >= 1.10.0, < 1.10.3
• MEDIUM5.3HashiCorp Vault improper configuration of multi factor authentication in github.com/hashicorp/vault
  >= 1.10.0, < 1.10.3
• MEDIUM5.3Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault
  from 0, < 1.6.6
• MEDIUM5.3Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault
  from 0, < 1.6.6, >= 1.7.0, < 1.7.4
• MEDIUM4.7Vault Vulnerable to Cache-Timing Attacks During Seal and Unseal Operations
  from 0, < 1.11.9
• MEDIUM4.7Vault Vulnerable to Cache-Timing Attacks During Seal and Unseal Operations
  from 0, < 1.11.9, >= 1.12.0, < 1.12.5, >= 1.13.0, < 1.13.1
• MEDIUM4.5Vault May Include Sensitive Data in Error Logs When Using the KV v2 Plugin
  >= 0.3.0, < 1.19.3
• MEDIUM4.5Vault May Include Sensitive Data in Error Logs When Using the KV v2 Plugin
  >= 0.3.0, < 1.19.3
• MEDIUM4.5Vault May Expose Sensitive Information When Configuring An Audit Log Device
  >= 1.15.0, < 1.15.5
• MEDIUM4.5Vault May Expose Sensitive Information When Configuring An Audit Log Device
  >= 1.15.0, < 1.15.5
• MEDIUM4.3Vault’s KV Diff Viewer Allowed for HTML Injection
  from 0, < 1.11.11
• MEDIUM4.3Vault’s KV Diff Viewer Allowed for HTML Injection
  from 0, < 1.11.11, >= 1.12.0, < 1.12.7, >= 1.13.0, < 1.13.3
• LOW3.7Timing Side-Channel in Vault’s Userpass Auth Method
  from 0, < 1.20.1
• LOW3.7Timing Side-Channel in Vault’s Userpass Auth Method
  from 0, < 1.20.1