Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

HashiCorp — Vulnerabilities & Security Advisories 89

Browse all 89 CVE security advisories affecting HashiCorp. AI-powered Chinese analysis, POCs, and references for each vulnerability.

HashiCorp develops infrastructure automation software, primarily known for Terraform, Vault, and Consul, which enable organizations to provision and secure cloud infrastructure. The company’s products have historically been associated with various vulnerability classes, including remote code execution, cross-site scripting, and privilege escalation, often stemming from complex integration points or misconfigurations in how these tools interact with underlying systems. With 89 CVEs currently on record, the security landscape for HashiCorp tools reflects the inherent risks of widely adopted, high-privilege infrastructure management software. While no single catastrophic incident has defined the brand’s history, the volume of disclosed flaws highlights the challenges of maintaining security across a diverse ecosystem of plugins and integrations. Users must rigorously patch these tools to mitigate risks associated with unauthorized access or data exfiltration, ensuring that the powerful automation capabilities do not become vectors for systemic compromise.

Top products by HashiCorp: Vault Nomad Consul Shared library Boundary Vault Enterprise Tooling Terraform Enterprise Nomad Enterprise Vagrant go-getter Terraform
CVE IDTitleCVSSSeverityPublished
CVE-2023-5077 Vault's Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets — VaultCWE-266 7.6 High2023-09-28
CVE-2023-3775 Vault Enterprise's Sentinel RGP Policies Allowed For Cross-Namespace Denial of Service — Vault EnterpriseCWE-266 4.2 Medium2023-09-28
CVE-2023-4680 Vault's Transit Secrets Engine Allowed Nonce Specified without Convergent Encryption — VaultCWE-323 6.8 Medium2023-09-14
CVE-2023-4782 Terraform Allows Arbitrary File Write During Init Operation — TerraformCWE-22 6.3 Medium2023-09-08
CVE-2023-3518 JWT Auth in L7 Intentions Allow For Mismatched Service Identity and JWT Providers for Access — ConsulCWE-266 7.4 High2023-08-09
CVE-2023-3462 Vault's LDAP Auth Method Allows for User Enumeration — VaultCWE-203 5.3 Medium2023-07-31
CVE-2023-3774 Vault Enterprise Namespace Creation May Lead to Denial of Service — Vault EnterpriseCWE-248 4.9 Medium2023-07-28
CVE-2023-3300 Nomad Search API Leaks Information About CSI Plugins — NomadCWE-266 5.3 Medium2023-07-19
CVE-2023-3299 Nomad Caller ACL Token's Secret ID is Exposed to Sentinel — Nomad EnterpriseCWE-201 3.4 Low2023-07-19
CVE-2023-3072 Nomad ACL Policies without Label are Applied to Unexpected Resources — NomadCWE-266 4.1 Medium2023-07-19
CVE-2023-3114 Terraform Enterprise Agent Pool Controls Allowed Unauthorized Workspaces To Target an Agent Pool — Terraform EnterpriseCWE-266 5.0 Medium2023-06-22
CVE-2023-2121 Vault’s KV Diff Viewer Allowed for HTML Injection — VaultCWE-79 4.3 Medium2023-06-09
CVE-2023-1297 Consul Cluster Peering can Result in Denial of Service — ConsulCWE-826 4.9 Medium2023-06-02
CVE-2023-2816 Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner — ConsulCWE-266 8.7 High2023-06-02
CVE-2023-2197 Vault Enterprise Vulnerable to Padding Oracle Attacks When Using a CBC-based Encryption Mechanism with a HSM — Vault EnterpriseCWE-326 2.5 Low2023-05-01
CVE-2023-1782 Nomad Unauthenticated Client Agent HTTP Request Privilege Escalation — NomadCWE-862 10.0 Critical2023-04-05
CVE-2023-0620 Vault Vulnerable to SQL Injection When Configuring the Microsoft SQL Database Storage Backend — VaultCWE-89 6.5 Medium2023-03-30
CVE-2023-0665 Vault PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata — VaultCWE-285 6.5 Medium2023-03-30
CVE-2023-25000 Vault Vulnerable to Cache-Timing Attacks During Seal and Unseal Operations — VaultCWE-208 5.0 Medium2023-03-30
CVE-2023-1299 Nomad Job Submitter Privilege Escalation Using Workload Identity — NomadCWE-862 7.4 High2023-03-14
CVE-2023-1296 Nomad ACLs Can Not Deny Access to Workload's Own Variables — NomadCWE-682 2.7 Low2023-03-14
CVE-2023-24999 Vault Fails to Verify if the AppRole SecretID Belongs to Role During a Destroy Operation — VaultCWE-863 4.4 Medium2023-03-10
CVE-2023-0845 Consul Server Panic when Ingress and API Gateways Configured with Peering — ConsulCWE-476 4.9 Medium2023-03-09
CVE-2023-0821 Nomad Client Vulnerable to Decompression Bombs in Artifact Block — NomadCWE-409 6.5 Medium2023-02-16
CVE-2023-0475 Go-Getter Vulnerable to Decompression Bombs — go-getterCWE-409 4.2 Medium2023-02-16
CVE-2023-0690 Boundary Workers Store Rotated Credentials in Plaintext Even When a Key Management Service Configured — BoundaryCWE-312 5.0 Medium2023-02-08
CVE-2022-3920 Consul Peering Imported Nodes/Services Leak — ConsulCWE-862 5.3 Medium2022-11-15
CVE-2022-3867 Nomad Event Stream Subscriber Using a Token with TTL Receives Updates Until Garbage Collected — NomadCWE-613 2.7 Low2022-11-10
CVE-2022-3866 Nomad Workload Identity Token Can List Non-sensitive Metadata for Paths Under nomad/ — NomadCWE-668 5.0 Medium2022-11-10

This page lists every published CVE security advisory associated with HashiCorp. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.