cbcvebase.

Github.Com Hashicorp Vault vulnerabilities

55 known vulnerabilities affecting github.com/hashicorp_vault.

Total CVEs
55
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH24MEDIUM22LOW3

Vulnerabilities

Page 3 of 3
CVE-2025-6004P4MEDIUM≥ 1.13.0, < 1.20.12025-08-01
CVE-2025-6004 [MEDIUM] CWE-307 Hashicorp Vault has Lockout Feature Authentication Bypass Hashicorp Vault has Lockout Feature Authentication Bypass Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
ghsaosv
CVE-2024-2660P4MEDIUM≥ 0, < 1.16.02024-04-04
CVE-2024-2660 [MEDIUM] CWE-636 HashiCorpVault does not correctly validate OCSP responses HashiCorpVault does not correctly validate OCSP responses Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.
ghsaosv
CVE-2025-6015P4MEDIUM≥ 1.10.0, < 1.20.12025-08-01
CVE-2025-6015 [MEDIUM] CWE-307 Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
ghsaosv
CVE-2023-2121P4MEDIUMCVSS 5.4≥ 0, < 1.11.11≥ 1.12.0, < 1.12.7+1 more2023-06-09
CVE-2023-2121 [MEDIUM] CWE-79 Hashicorp Vault vulnerable to Cross-site Scripting Hashicorp Vault vulnerable to Cross-site Scripting Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.
ghsaosv
CVE-2023-3462P4MEDIUM≥ 0, < 1.13.5≥ 1.14.0, < 1.14.12023-08-01
CVE-2023-3462 [MEDIUM] CWE-203 HashiCorp Vault and Vault Enterprise vulnerable to user enumeration HashiCorp Vault and Vault Enterprise vulnerable to user enumeration HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.
ghsaosv
CVE-2021-41802P4LOW≥ 0, < 1.7.5≥ 1.8.0, < 1.8.42021-10-12
CVE-2021-41802 [LOW] CWE-269 Hashicorp Vault Privilege Escalation Vulnerability Hashicorp Vault Privilege Escalation Vulnerability HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.
ghsaosv
CVE-2022-30689P4MEDIUM≥ 1.10.0, < 1.10.32022-05-18
CVE-2022-30689 [MEDIUM] HashiCorp Vault improper configuration of multi factor authentication HashiCorp Vault improper configuration of multi factor authentication HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. Fixed in 1.10.3.
ghsaosv
CVE-2021-38554P4MEDIUM≥ 0, < 1.6.6≥ 1.7.0, < 1.7.42021-08-30
CVE-2021-38554 [MEDIUM] CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
ghsaosv
CVE-2022-41316P4MEDIUM≥ 1.11.0, < 1.11.4≥ 1.10.0, < 1.10.7+1 more2023-07-06
CVE-2022-41316 [MEDIUM] CWE-295 HashiCorp Vault's revocation list not respected HashiCorp Vault's revocation list not respected HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
ghsaosv
CVE-2020-35177P4MEDIUM≥ 1.5.0, < 1.5.6≥ 1.6.0, < 1.6.12024-01-31
CVE-2020-35177 [MEDIUM] CWE-200 Enumeration of users in HashiCorp Vault Enumeration of users in HashiCorp Vault HashiCorp Vault and Vault Enterprise allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.
ghsaosv
CVE-2020-10660P4MEDIUM≥ 0.9.0, < 1.3.42024-01-30
CVE-2020-10660 [MEDIUM] CWE-269 HashiCorp Vault Improper Privilege Management HashiCorp Vault Improper Privilege Management HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.
ghsaosv
CVE-2023-25000P4MEDIUM≥ 0, < 1.11.9≥ 1.12.0, < 1.12.5+1 more2023-03-30
CVE-2023-25000 [MEDIUM] CWE-203 HashiCorp Vault's implementation of Shamir's secret sharing vulnerable to cache-timing attacks HashiCorp Vault's implementation of Shamir's secret sharing vulnerable to cache-timing attacks HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the
ghsaosv
CVE-2025-6011P4LOW≥ 0, < 1.20.12025-08-01
CVE-2025-6011 [LOW] CWE-203 Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.1
ghsaosv
CVE-2021-38553P4CRITICAL≥ 1.4.0, < 1.8.02021-08-30
CVE-2021-38553 [CRITICAL] CWE-281 HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0 HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0 HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.
ghsaosv
CVE-2025-4656P4LOWCVSS 3.1≥ 1.14.8, < 1.20.02025-06-26
CVE-2025-4656 [LOW] CWE-1088 Vault Community Edition rekey and recovery key operations can cause denial of service Vault Community Edition rekey and recovery key operations can cause denial of service Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.1
ghsaosv
Github.Com Hashicorp Vault vulnerabilities | cvebase