Hashicorp Vagrant vulnerabilities

CVE-2025-34075 [MEDIUM] CWE-276 HashiCorp Vagrant has code injection vulnerability through default synced folders HashiCorp Vagrant has code injection vulnerability through default synced folders An authenticated virtual machine escape vulnerability exists in HashiCorp Vagrant versions 2.4.6 and below when using the default synced folder configuration. By design, Vagrant automatically mounts the host system’s project directory into the guest VM under /vagrant (or C:\vagrant on Windows). This in

CVE-2024-10228 [LOW] CWE-732 CVE-2024-10228: The Vagrant VMWare Utility Windows installer targeted a custom location with a non-protected path th The Vagrant VMWare Utility Windows installer targeted a custom location with a non-protected path that could be modified by an unprivileged user, introducing potential for unauthorized file system writes. This vulnerability, CVE-2024-10228, was fixed in Vagrant VMWare Utility 1.0.23

CVE-2023-5834 [HIGH] CWE-1386 CVE-2023-5834: HashiCorp Vagrant's Windows installer targeted a custom location with a non-protected path that coul HashiCorp Vagrant's Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Fixed in Vagrant 2.4.0.

CVE-2022-42717 [HIGH] CWE-284 CVE-2022-42717: An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation, non-privileged users on the host can leverage a wildcard in the sudoers configuration to execute arbitrary commands as root.

CVE-2017-16777 [HIGH] CWE-427 CVE-2017-16777: If HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.3 is installed but VMware If HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.3 is installed but VMware Fusion is not, a local attacker can create a fake application directory and exploit the suid sudo helper in order to escalate to root.

CVE-2017-16001 [HIGH] CWE-362 CVE-2017-16001: In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.1, a local attacker or mal In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.1, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges.