Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update module github.com/hashicorp/vault to v1.18.1 [SECURITY] #4817

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

pulumi-renovate[bot]
Copy link

@pulumi-renovate pulumi-renovate bot commented Nov 21, 2024

This PR contains the following updates:

Package Type Update Change
github.com/hashicorp/vault replace minor v1.2.0 -> v1.18.1

Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault

BIT-vault-2020-16250 / CVE-2020-16250 / GHSA-fp52-qw33-mfmw / GO-2022-0825

More information

Details

HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Vault Authentication bypass

BIT-vault-2020-16251 / CVE-2020-16251 / GHSA-4mp7-2m29-gqxf / GO-2024-2488

More information

Details

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault

BIT-vault-2020-16250 / CVE-2020-16250 / GHSA-fp52-qw33-mfmw / GO-2022-0825

More information

Details

Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


HashiCorp Vault Authentication bypass in github.com/hashicorp/vault

BIT-vault-2020-16251 / CVE-2020-16251 / GHSA-4mp7-2m29-gqxf / GO-2024-2488

More information

Details

HashiCorp Vault Authentication bypass in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault

BIT-vault-2020-7220 / CVE-2020-7220 / GHSA-9vh5-r4qw-v3vv / GO-2022-0816

More information

Details

Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Improper Resource Shutdown or Release in HashiCorp Vault

BIT-vault-2020-7220 / CVE-2020-7220 / GHSA-9vh5-r4qw-v3vv / GO-2022-0816

More information

Details

HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Vault Improper Privilege Management

BIT-vault-2020-10660 / CVE-2020-10660 / GHSA-m979-w9wj-qfj9 / GO-2024-2486

More information

Details

HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault

BIT-vault-2020-10661 / CVE-2020-10661 / GHSA-j6vv-vv26-rh7c / GO-2024-2485

More information

Details

HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


HashiCorp Vault Improper Privilege Management

BIT-vault-2020-10661 / CVE-2020-10661 / GHSA-j6vv-vv26-rh7c / GO-2024-2485

More information

Details

HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4.

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault

BIT-vault-2020-10660 / CVE-2020-10660 / GHSA-m979-w9wj-qfj9 / GO-2024-2486

More information

Details

HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault

BIT-vault-2020-25816 / CVE-2020-25816 / GHSA-57gg-cj55-q5g2 / GO-2024-2514

More information

Details

Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invalid session token expiration

BIT-vault-2021-32923 / CVE-2021-32923 / GHSA-38j9-7pp9-2hjw / GO-2022-0623

More information

Details

HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.

Severity

  • CVSS Score: 7.4 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Invalid session token expiration in github.com/hashicorp/vault

BIT-vault-2021-32923 / CVE-2021-32923 / GHSA-38j9-7pp9-2hjw / GO-2022-0623

More information

Details

Invalid session token expiration in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault

BIT-vault-2021-38554 / CVE-2021-38554 / GHSA-6239-28c2-9mrm / GO-2022-0632

More information

Details

HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault

BIT-vault-2021-38554 / CVE-2021-38554 / GHSA-6239-28c2-9mrm / GO-2022-0632

More information

Details

Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Hashicorp Vault Privilege Escalation Vulnerability in github.com/hashicorp/vault

BIT-vault-2021-41802 / CVE-2021-41802 / GHSA-qv95-g3gm-x542 / GO-2022-0618

More information

Details

Hashicorp Vault Privilege Escalation Vulnerability in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Hashicorp Vault Privilege Escalation Vulnerability

BIT-vault-2021-41802 / CVE-2021-41802 / GHSA-qv95-g3gm-x542 / GO-2022-0618

More information

Details

HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

Severity

  • CVSS Score: 2.9 / 10 (Low)
  • Vector String: CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Vault Incorrect Permission Assignment for Critical Resource in github.com/hashicorp/vault

BIT-vault-2021-43998 / CVE-2021-43998 / GHSA-pfmw-vj74-ph8g / GO-2022-0611

More information

Details

HashiCorp Vault Incorrect Permission Assignment for Critical Resource in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


HashiCorp Vault Incorrect Permission Assignment for Critical Resource

BIT-vault-2021-43998 / CVE-2021-43998 / GHSA-pfmw-vj74-ph8g / GO-2022-0611

More information

Details

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Vault's revocation list not respected

BIT-vault-2022-41316 / CVE-2022-41316 / GHSA-9mh8-9j64-443f / GO-2023-1897

More information

Details

HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault

BIT-vault-2022-41316 / CVE-2022-41316 / GHSA-9mh8-9j64-443f / GO-2023-1897

More information

Details

HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation in github.com/hashicorp/vault

BIT-vault-2023-24999 / CVE-2023-24999 / GHSA-wmg5-g953-qqfw / GO-2023-1900

More information

Details

Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation

BIT-vault-2023-24999 / CVE-2023-24999 / GHSA-wmg5-g953-qqfw / GO-2023-1900

More information

Details

When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999, has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File in github.com/hashicorp/vault

BIT-vault-2023-0620 / CVE-2023-0620 / GHSA-v3hp-mcj5-pg39 / GO-2023-1685

More information

Details

HashiCorp Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


HashiCorp Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File

BIT-vault-2023-0620 / CVE-2023-0620 / GHSA-v3hp-mcj5-pg39 / GO-2023-1685

More information

Details

HashiCorp Vault and Vault Enterprise versions 0.8.0 until 1.13.1 are vulnerable to an SQL injection attack when using the Microsoft SQL (MSSQL) Database Storage Backend. When configuring the MSSQL plugin, certain parameters are required to establish a connection (schema, database, and table) are not sanitized when passed to the user-provided MSSQL database. A privileged attacker with the ability to write arbitrary data to Vault's configuration may modify these parameters to execute a malicious SQL command when the Vault configuration is applied. This issue is fixed in versions 1.13.1, 1.12.5, and 1.11.9.

Severity

  • CVSS Score: 6.7 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Vault's PKI mount vulnerable to denial of service in github.com/hashicorp/vault

BIT-vault-2023-0665 / CVE-2023-0665 / GHSA-hwc3-3qh6-r4gg / GO-2023-1708

More information

Details

HashiCorp Vault's PKI mount vulnerable to denial of service in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


HashiCorp Vault's implementation of Shamir's secret sharing vulnerable to cache-timing attacks

BIT-vault-2023-25000 / CVE-2023-25000 / GHSA-vq4h-9ghm-qmrr / GO-2023-1709

More information

Details

HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

Severity

  • CVSS Score: 4.7 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Vault's PKI mount vulnerable to denial of service

BIT-vault-2023-0665 / CVE-2023-0665 / GHSA-hwc3-3qh6-r4gg / GO-2023-1708

More information

Details

HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Cache-timing attacks in Shamir's secret sharing in github.com/hashicorp/vault

BIT-vault-2023-25000 / CVE-2023-25000 / GHSA-vq4h-9ghm-qmrr / GO-2023-1709

More information

Details

HashiCorp Vault's implementation of Shamir's secret sharing uses precomputed table lookups, and is vulnerable to cache-timing attacks.

An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Hashicorp Vault vulnerable to Cross-site Scripting in github.com/hashicorp/vault

BIT-vault-2023-2121 / CVE-2023-2121 / GHSA-gq98-53rq-qr5h / GO-2023-1849

More information

Details

Hashicorp Vault vulnerable to Cross-site Scripting in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Hashicorp Vault vulnerable to Cross-site Scripting

BIT-vault-2023-2121 / CVE-2023-2121 / GHSA-gq98-53rq-qr5h / GO-2023-1849

More information

Details

Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability

BIT-vault-2023-5077 / CVE-2023-5077 / GHSA-86c6-3g63-5w64 / GO-2023-2088

More information

Details

The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.

Severity

  • CVSS Score: 7.6 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault

BIT-vault-2023-5077 / CVE-2023-5077 / GHSA-86c6-3g63-5w64 / GO-2023-2088

More information

Details

Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


HashiCorp Vault and Vault Enterprise vulnerable to user enumeration

BIT-vault-2023-3462 / CVE-2023-3462 / GHSA-9v3w-w2jh-4hff / GO-2023-1986

More information

Details

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


HashiCorp Vault and Vault Enterprise vulnerable to user enumeration in github.com/hashicorp/vault

BIT-vault-2023-3462 / CVE-2023-3462 / GHSA-9v3w-w2jh-4hff / GO-2023-1986

More information

Details

HashiCorp Vault and Vault Enterprise vulnerable to user enumeration in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault

BIT-vault-2023-5954 / CVE-2023-5954 / GHSA-4qhc-v8r6-8vwm / GO-2023-2329

More information

Details

HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability

BIT-vault-2023-5954 / CVE-2023-5954 / GHSA-4qhc-v8r6-8vwm / GO-2023-2329

More information

Details

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Incorrect TLS certificate auth method in Vault

BIT-vault-2024-2048 / CVE-2024-2048 / GHSA-r3w7-mfpm-c2vw / GO-2024-2617

More information

Details

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Authentication bypass in github.com/hashicorp/vault

BIT-vault-2024-2048 / CVE-2024-2048 / GHSA-r3w7-mfpm-c2vw / GO-2024-2617

More information

Details

The TLS certificate authentication method incorrectly validates client certificates when configured with a non-CA certificate as a trusted certificate. When configured this way, attackers may be able to craft a certificate that can be used to bypass authentication.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims

BIT-vault-2024-5798 / CVE-2024-5798 / GHSA-32cj-5wx4-gq8p / GO-2024-2921

More information

Details

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected.

This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9

Severity

  • CVSS Score: 2.6 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

References

@pulumi-renovate pulumi-renovate bot added dependencies Pull requests that update a dependency file impact/no-changelog-required This issue doesn't require a CHANGELOG update labels Nov 21, 2024
@pulumi-renovate pulumi-renovate bot enabled auto-merge (rebase) November 21, 2024 22:03
@pulumi-renovate
Copy link
Author

pulumi-renovate bot commented Nov 21, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: provider/go.sum
Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: downloading github.com/pulumi/pulumi-terraform-bridge/v3 v3.97.1
go: downloading github.com/pulumi/pulumi-yaml v1.12.0
go: github.com/pulumi/pulumi-aws/provider/v6 imports
	github.com/hashicorp/terraform-provider-aws/shim: cannot find module providing package github.com/hashicorp/terraform-provider-aws/shim

Copy link

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

Maintainer note: consult the runbook for dealing with any breaking changes.

@pulumi-renovate pulumi-renovate bot force-pushed the renovate/security branch 2 times, most recently from cb70a40 to a2a3871 Compare November 22, 2024 17:00
@pulumi-renovate pulumi-renovate bot changed the title Update module github.com/hashicorp/vault to v1.18.1 [SECURITY] chore(deps): update module github.com/hashicorp/vault to v1.18.1 [security] Nov 25, 2024
@pulumi-renovate pulumi-renovate bot changed the title chore(deps): update module github.com/hashicorp/vault to v1.18.1 [security] Update module github.com/hashicorp/vault to v1.18.1 [SECURITY] Nov 25, 2024
@pulumi-renovate pulumi-renovate bot force-pushed the renovate/security branch 8 times, most recently from 8cac1c8 to df92761 Compare December 2, 2024 23:02
@pulumi-renovate pulumi-renovate bot force-pushed the renovate/security branch 7 times, most recently from d635404 to d37822b Compare December 6, 2024 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file impact/no-changelog-required This issue doesn't require a CHANGELOG update
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants