📦

vault

Vendor: hashicorp

Actively Exploited 0 CISA KEV List

PoC / Exploits 0 Code Available

Total RCEs 2 Remote Access

Total CVEs 90 Total Indexed

Avg. EPSS 0.37% Exploit Prob.

Latest CVE CVE-2026-5807 Apr 17

Security Vulnerability Index

Page 7 / 9

5.3 CVSS

CVE-2020-35453

HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.

EPSS: 0.33%

Severity: MEDIUM

Dec 17, 2020

5.3 CVSS

CVE-2020-35177

HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.

EPSS: 0.39%

Severity: MEDIUM

Dec 17, 2020

9.8 CVSS

CVE-2020-35192

The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.

EPSS: 2.01%

Severity: CRITICAL

Dec 17, 2020

6.8 CVSS

CVE-2020-25816

HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4.

EPSS: 0.31%

Severity: MEDIUM

Sep 30, 2020

8.2 CVSS

CVE-2020-16251

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.

EPSS: 0.87%

Severity: HIGH

Aug 26, 2020

8.2 CVSS

CVE-2020-16250

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..

EPSS: 2.21%

Severity: HIGH

Aug 26, 2020

7.5 CVSS

CVE-2020-13223

HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.

EPSS: 0.35%

Severity: HIGH

Jun 10, 2020

9.8 CVSS

CVE-2020-12757

HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2.

EPSS: 0.43%

Severity: CRITICAL

Jun 10, 2020

9.1 CVSS

CVE-2020-10661

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.

EPSS: 0.37%

Severity: CRITICAL

Mar 23, 2020

5.3 CVSS

CVE-2020-10660

HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.

EPSS: 0.22%

Severity: MEDIUM

Mar 23, 2020

Displaying 10 of 90 Total Entries

5 6 7 8 9

Total 9 Sections