Affected by GO-2022-1021 and 24 other vulnerabilities

GO-2022-1021: HashiCorp Vault vulnerable to incorrect metadata access in github.com/hashicorp/vault

GO-2023-1685: HashiCorp Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File in github.com/hashicorp/vault

GO-2023-1708: HashiCorp Vault's PKI mount vulnerable to denial of service in github.com/hashicorp/vault

GO-2023-1849: Hashicorp Vault vulnerable to Cross-site Scripting in github.com/hashicorp/vault

GO-2023-1897: HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault

GO-2023-1900: Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation in github.com/hashicorp/vault

GO-2023-1986: HashiCorp Vault and Vault Enterprise vulnerable to user enumeration in github.com/hashicorp/vault

GO-2023-2063: HashiCorp Vault Improper Input Validation vulnerability in github.com/hashicorp/vault

GO-2023-2088: Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault

GO-2023-2329: HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault

GO-2024-2617: Authentication bypass in github.com/hashicorp/vault

GO-2024-2690: HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault

GO-2024-2921: HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault

GO-2024-3162: Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault

GO-2024-3191: Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault

GO-2024-3246: Hashicorp Vault vulnerable to denial of service through memory exhaustion in github.com/hashicorp/vault

GO-2025-3663: Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information in github.com/hashicorp/vault

GO-2025-3836: Hashicorp Vault has Incorrect Validation for Non-CA Certificates in github.com/hashicorp/vault

GO-2025-3837: Hashicorp Vault has Privilege Escalation Vulnerability in github.com/hashicorp/vault

GO-2025-3838: Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration in github.com/hashicorp/vault

GO-2025-3839: Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users in github.com/hashicorp/vault

GO-2025-3841: Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault

GO-2025-3848: HashiCorp Vault ldap auth method may not have correctly enforced MFA in github.com/hashicorp/vault

GO-2025-3924: HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads in github.com/hashicorp/vault

GO-2025-4070: HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass in github.com/hashicorp/vault

http

package

v1.9.0-rc1 Latest Latest Go to latest Published: Nov 4, 2021 License: MPL-2.0 Imports: 47 Imported by: 210

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/hashicorp/vault

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func Handler(props *vault.HandlerProperties) http.Handler
func TestListener(tb testing.TB) (net.Listener, string)
func TestServer(tb testing.TB, core *vault.Core) (net.Listener, string)
func TestServerAuth(tb testing.TB, addr string, token string)
func TestServerWithListener(tb testing.TB, ln net.Listener, addr string, core *vault.Core)
func TestServerWithListenerAndProperties(tb testing.TB, ln net.Listener, addr string, core *vault.Core, ...)
func WrapForwardedForHandler(h http.Handler, l *configutil.Listener) http.Handler
type FeatureFlagsResponse
type GenerateRootInitRequest
type GenerateRootStatusResponse
type GenerateRootUpdateRequest
type HealthResponse
type HealthResponseLicense
type InitRequest
type InitResponse
type InitStatusResponse
type JoinRequest
type JoinResponse
type RekeyRequest
type RekeyStatusResponse
type RekeyUpdateRequest
type RekeyUpdateResponse
type RekeyVerificationStatusResponse
type RekeyVerificationUpdateRequest
type RekeyVerificationUpdateResponse
type UIAssetWrapper
- func (fsw *UIAssetWrapper) Open(name string) (http.File, error)
type UnsealRequest
type WrappingResponseWriter

Constants ¶

View Source

const (
	// WrapTTLHeaderName is the name of the header containing a directive to
	// wrap the response
	WrapTTLHeaderName = "X-Vault-Wrap-TTL"

	// WrapFormatHeaderName is the name of the header containing the format to
	// wrap in; has no effect if the wrap TTL is not set
	WrapFormatHeaderName = "X-Vault-Wrap-Format"

	// NoRequestForwardingHeaderName is the name of the header telling Vault
	// not to use request forwarding
	NoRequestForwardingHeaderName = "X-Vault-No-Request-Forwarding"

	// MFAHeaderName represents the HTTP header which carries the credentials
	// required to perform MFA on any path.
	MFAHeaderName = "X-Vault-MFA"

	// PolicyOverrideHeaderName is the header set to request overriding
	// soft-mandatory Sentinel policies.
	PolicyOverrideHeaderName = "X-Vault-Policy-Override"

	VaultIndexHeaderName        = "X-Vault-Index"
	VaultInconsistentHeaderName = "X-Vault-Inconsistent"
	VaultForwardHeaderName      = "X-Vault-Forward"
	VaultInconsistentForward    = "forward-active-node"
	VaultInconsistentFail       = "fail"

	// DefaultMaxRequestSize is the default maximum accepted request size. This
	// is to prevent a denial of service attack where no Content-Length is
	// provided and the server is fed ever more data until it exhausts memory.
	// Can be overridden per listener.
	DefaultMaxRequestSize = 32 * 1024 * 1024
)

View Source

const MergePatchContentTypeHeader = "application/merge-patch+json"

Variables ¶

View Source

var FeatureFlag_EnvVariables = [...]string{
	"VAULT_CLOUD_ADMIN_NAMESPACE",
}

Functions ¶

func Handler ¶

func Handler(props *vault.HandlerProperties) http.Handler

Handler returns an http.Handler for the API. This can be used on its own to mount the Vault API within another web server.

func TestListener ¶

func TestListener(tb testing.TB) (net.Listener, string)

func TestServer ¶

func TestServer(tb testing.TB, core *vault.Core) (net.Listener, string)

func TestServerAuth ¶

func TestServerAuth(tb testing.TB, addr string, token string)

func TestServerWithListener ¶

func TestServerWithListener(tb testing.TB, ln net.Listener, addr string, core *vault.Core)

func TestServerWithListenerAndProperties ¶ added in v0.10.4

func TestServerWithListenerAndProperties(tb testing.TB, ln net.Listener, addr string, core *vault.Core, props *vault.HandlerProperties)

func WrapForwardedForHandler ¶ added in v0.10.1

func WrapForwardedForHandler(h http.Handler, l *configutil.Listener) http.Handler

Types ¶

type FeatureFlagsResponse ¶ added in v1.6.2

type FeatureFlagsResponse struct {
	FeatureFlags []string `json:"feature_flags"`
}

type GenerateRootInitRequest ¶ added in v0.5.0

type GenerateRootInitRequest struct {
	OTP    string `json:"otp"`
	PGPKey string `json:"pgp_key"`
}

type GenerateRootStatusResponse ¶ added in v0.5.0

type GenerateRootStatusResponse struct {
	Nonce            string `json:"nonce"`
	Started          bool   `json:"started"`
	Progress         int    `json:"progress"`
	Required         int    `json:"required"`
	Complete         bool   `json:"complete"`
	EncodedToken     string `json:"encoded_token"`
	EncodedRootToken string `json:"encoded_root_token"`
	PGPFingerprint   string `json:"pgp_fingerprint"`
	OTP              string `json:"otp"`
	OTPLength        int    `json:"otp_length"`
}

type GenerateRootUpdateRequest ¶ added in v0.5.0

type GenerateRootUpdateRequest struct {
	Nonce string
	Key   string
}

type HealthResponse ¶

type HealthResponse struct {
	Initialized                bool                   `json:"initialized"`
	Sealed                     bool                   `json:"sealed"`
	Standby                    bool                   `json:"standby"`
	PerformanceStandby         bool                   `json:"performance_standby"`
	ReplicationPerformanceMode string                 `json:"replication_performance_mode"`
	ReplicationDRMode          string                 `json:"replication_dr_mode"`
	ServerTimeUTC              int64                  `json:"server_time_utc"`
	Version                    string                 `json:"version"`
	ClusterName                string                 `json:"cluster_name,omitempty"`
	ClusterID                  string                 `json:"cluster_id,omitempty"`
	LastWAL                    uint64                 `json:"last_wal,omitempty"`
	License                    *HealthResponseLicense `json:"license,omitempty"`
}

type HealthResponseLicense ¶ added in v1.8.0

type HealthResponseLicense struct {
	State      string `json:"state"`
	ExpiryTime string `json:"expiry_time"`
	Terminated bool   `json:"terminated"`
}

type InitRequest ¶

type InitRequest struct {
	SecretShares      int      `json:"secret_shares"`
	SecretThreshold   int      `json:"secret_threshold"`
	StoredShares      int      `json:"stored_shares"`
	PGPKeys           []string `json:"pgp_keys"`
	RecoveryShares    int      `json:"recovery_shares"`
	RecoveryThreshold int      `json:"recovery_threshold"`
	RecoveryPGPKeys   []string `json:"recovery_pgp_keys"`
	RootTokenPGPKey   string   `json:"root_token_pgp_key"`
}

type InitResponse ¶

type InitResponse struct {
	Keys            []string `json:"keys"`
	KeysB64         []string `json:"keys_base64"`
	RecoveryKeys    []string `json:"recovery_keys,omitempty"`
	RecoveryKeysB64 []string `json:"recovery_keys_base64,omitempty"`
	RootToken       string   `json:"root_token"`
}

type InitStatusResponse ¶

type InitStatusResponse struct {
	Initialized bool `json:"initialized"`
}

type JoinRequest ¶ added in v1.2.0

type JoinRequest struct {
	AutoJoin            string `json:"auto_join"`
	AutoJoinScheme      string `json:"auto_join_scheme"`
	AutoJoinPort        uint   `json:"auto_join_port"`
	LeaderAPIAddr       string `json:"leader_api_addr"`
	LeaderCACert        string `json:"leader_ca_cert"`
	LeaderClientCert    string `json:"leader_client_cert"`
	LeaderClientKey     string `json:"leader_client_key"`
	LeaderTLSServerName string `json:"leader_tls_servername"`
	Retry               bool   `json:"retry"`
	NonVoter            bool   `json:"non_voter"`
}

type JoinResponse ¶ added in v1.2.0

type JoinResponse struct {
	Joined bool `json:"joined"`
}

type RekeyRequest ¶ added in v0.2.0

type RekeyRequest struct {
	SecretShares        int      `json:"secret_shares"`
	SecretThreshold     int      `json:"secret_threshold"`
	StoredShares        int      `json:"stored_shares"`
	PGPKeys             []string `json:"pgp_keys"`
	Backup              bool     `json:"backup"`
	RequireVerification bool     `json:"require_verification"`
}

type RekeyStatusResponse ¶ added in v0.2.0

type RekeyStatusResponse struct {
	Nonce                string   `json:"nonce"`
	Started              bool     `json:"started"`
	T                    int      `json:"t"`
	N                    int      `json:"n"`
	Progress             int      `json:"progress"`
	Required             int      `json:"required"`
	PGPFingerprints      []string `json:"pgp_fingerprints"`
	Backup               bool     `json:"backup"`
	VerificationRequired bool     `json:"verification_required"`
	VerificationNonce    string   `json:"verification_nonce,omitempty"`
}

type RekeyUpdateRequest ¶ added in v0.2.0

type RekeyUpdateRequest struct {
	Nonce string
	Key   string
}

type RekeyUpdateResponse ¶ added in v0.2.0

type RekeyUpdateResponse struct {
	Nonce                string   `json:"nonce"`
	Complete             bool     `json:"complete"`
	Keys                 []string `json:"keys"`
	KeysB64              []string `json:"keys_base64"`
	PGPFingerprints      []string `json:"pgp_fingerprints"`
	Backup               bool     `json:"backup"`
	VerificationRequired bool     `json:"verification_required"`
	VerificationNonce    string   `json:"verification_nonce,omitempty"`
}

type RekeyVerificationStatusResponse ¶ added in v0.10.2

type RekeyVerificationStatusResponse struct {
	Nonce    string `json:"nonce"`
	Started  bool   `json:"started"`
	T        int    `json:"t"`
	N        int    `json:"n"`
	Progress int    `json:"progress"`
}

type RekeyVerificationUpdateRequest ¶ added in v0.10.2

type RekeyVerificationUpdateRequest struct {
	Nonce string `json:"nonce"`
	Key   string `json:"key"`
}

type RekeyVerificationUpdateResponse ¶ added in v0.10.2

type RekeyVerificationUpdateResponse struct {
	Nonce    string `json:"nonce"`
	Complete bool   `json:"complete"`
}

type UIAssetWrapper ¶ added in v0.10.0

type UIAssetWrapper struct {
	FileSystem http.FileSystem
}

func (*UIAssetWrapper) Open ¶ added in v0.10.0

func (fsw *UIAssetWrapper) Open(name string) (http.File, error)

type UnsealRequest ¶

type UnsealRequest struct {
	Key     string
	Reset   bool
	Migrate bool
}

Note: because we didn't provide explicit tagging in the past we can't do it now because if it then no longer accepts capitalized versions it could break clients

type WrappingResponseWriter ¶ added in v1.9.0

type WrappingResponseWriter interface {
	http.ResponseWriter
	Wrapped() http.ResponseWriter
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL