Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27400PUBLISHED: 2021-04-22HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1
CVE-2021-29653PUBLISHED: 2021-04-22HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.
CVE-2021-30476PUBLISHED: 2021-04-22HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.
CVE-2021-22540PUBLISHED: 2021-04-22Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
CVE-2021-27736PUBLISHED: 2021-04-22FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.
User Rank: Strategist
4/24/2014 | 9:01:40 AM
Our own (IS Decisions) research has shown that password sharing in business using Active Directory is indeed rampant. But with further restrictions on user access (limiting concurrent logins, location/time restrictions) users are significantly less likely to share passwords as it impacts their own ability to access the network. Such restrictions also help stop attacks from legitimate but stolen credentials.
Active Directory provides basic security, but it's vital to build on this with further restrictions and real time monitoring to what authenticated users can do. Software is available to do this in a way that is easy and user friendly.