Browse all 89 CVE security advisories affecting HashiCorp. AI-powered Chinese analysis, POCs, and references for each vulnerability.
HashiCorp develops infrastructure automation software, primarily known for Terraform, Vault, and Consul, which enable organizations to provision and secure cloud infrastructure. The company’s products have historically been associated with various vulnerability classes, including remote code execution, cross-site scripting, and privilege escalation, often stemming from complex integration points or misconfigurations in how these tools interact with underlying systems. With 89 CVEs currently on record, the security landscape for HashiCorp tools reflects the inherent risks of widely adopted, high-privilege infrastructure management software. While no single catastrophic incident has defined the brand’s history, the volume of disclosed flaws highlights the challenges of maintaining security across a diverse ecosystem of plugins and integrations. Users must rigorously patch these tools to mitigate risks associated with unauthorized access or data exfiltration, ensuring that the powerful automation capabilities do not become vectors for systemic compromise.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2023-4680 | Vault's Transit Secrets Engine Allowed Nonce Specified without Convergent Encryption — VaultCWE-323 | 6.8 | Medium | 2023-09-14 |
| CVE-2023-3462 | Vault's LDAP Auth Method Allows for User Enumeration — VaultCWE-203 | 5.3 | Medium | 2023-07-31 |
| CVE-2023-2121 | Vault’s KV Diff Viewer Allowed for HTML Injection — VaultCWE-79 | 4.3 | Medium | 2023-06-09 |
| CVE-2023-0620 | Vault Vulnerable to SQL Injection When Configuring the Microsoft SQL Database Storage Backend — VaultCWE-89 | 6.5 | Medium | 2023-03-30 |
| CVE-2023-0665 | Vault PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata — VaultCWE-285 | 6.5 | Medium | 2023-03-30 |
| CVE-2023-25000 | Vault Vulnerable to Cache-Timing Attacks During Seal and Unseal Operations — VaultCWE-208 | 5.0 | Medium | 2023-03-30 |
| CVE-2023-24999 | Vault Fails to Verify if the AppRole SecretID Belongs to Role During a Destroy Operation — VaultCWE-863 | 4.4 | Medium | 2023-03-10 |
This page lists every published CVE security advisory associated with HashiCorp. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.