GCVE - cpe:2.3:a:hashicorp:tooling:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:hashicorp:tooling:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Hashicorp (`dc524c16-6a01-528e-a41c-9d3e02e5e4a3`)
Product	Tooling (`041ce156-3db2-529a-abe0-bd0e99af0355`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-5061`	vulnerable	2026-06-03 15:26:26.494240	Consul-template vulnerable to sandbox path bypass in file helper via a symlink attack MEDIUM (4.7) The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0. Published: 2026-05-12T13:58:20.409Z Updated: 2026-05-12T15:43:01.985Z Open on db.gcve.eu Reference links https://discuss.hashicorp.com/t/hcsec-2026-12-consul-template-vulnerable-to-sandbox-path-bypass-in-file-helper-through-symlink-attack/77414	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-4660`	vulnerable	2026-06-03 15:26:25.852100	Go-getter may allow to arbitrary filesystem reads through git operations HIGH (7.5) HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package. Published: 2026-04-09T13:47:46.953Z Updated: 2026-04-17T17:57:55.534Z Open on db.gcve.eu Reference links https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-1293`	vulnerable	2026-06-03 14:59:04.974001	HashiCorp Hermes Improperly Validates AWS ALB JWTs, which May Lead to Authentication Bypass HIGH (8.2) Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0. Published: 2025-02-20T00:28:37.246Z Updated: 2025-02-20T14:24:57.660Z Open on db.gcve.eu Reference links https://discuss.hashicorp.com/t/hcsec-2025-03-hashicorp-hermes-improperly-validates-aws-alb-jwts-which-may-lead-to-authentication-bypass/73371	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-13357`	vulnerable	2026-06-03 14:58:45.931985	Vault Terraform Provider Applied Incorrect Defaults for LDAP Auth Method HIGH (7.4) Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0. Published: 2025-11-21T15:02:27.081Z Updated: 2026-04-17T17:57:56.094Z Open on db.gcve.eu Reference links https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.