CVE-2018-19653 — Hashicorp Consul vulnerability

CWE-3108 documents5 sources

Severity

5.9MEDIUMNVD

EPSS

0.4%

top 37.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Consul Github.com Hashicorp Consul Debian Consul

Timeline

PublishedDec 9

Latest updateAug 20

Description

HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

▶Gogithub.com/hashicorp_consul0.5.1 — 1.4.1

▶Debianhashicorp/consul< 1.4.4~dfsg1-1

▶NVDhashicorp/consul0.5.1 — 1.4.0

▶debiandebian/consul< consul 1.4.4~dfsg1-1 (bullseye)

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

HashiCorp Consul can use cleartext agent-to-agent RPC communication in github.com/hashicorp/consul↗2024-08-20

▶

GHSA

HashiCorp Consul can use cleartext agent-to-agent RPC communication↗2022-05-14

▶

OSV

HashiCorp Consul can use cleartext agent-to-agent RPC communication↗2022-05-14

▶

OSV

CVE-2018-19653: HashiCorp Consul 0↗2018-12-09

▶

📋Vendor Advisories

Debian

CVE-2018-19653: consul - HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC commun...↗2018

▶

💬Community

Bugzilla

CVE-2018-19653 consul: Misleading Configuration Resulting in Possible Plain Text Exposure↗2018-12-18

▶

Bugzilla

CVE-2018-19653 consul: Misleading Configuration Resulting in Possible Plain Text Exposure [fedora-all]↗2018-12-18

▶