CVE-2019-12291 — Improper Access Control in Hashicorp Consul

CWE-284 — Improper Access Control7 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 38.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Consul Github.com Hashicorp Consul Debian Consul

Timeline

PublishedJun 6

Latest updateAug 20

Description

HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Gogithub.com/hashicorp_consul1.4.0 — 1.5.1

▶Debianhashicorp/consul< 1.4.5+dfsg1-1

▶NVDhashicorp/consul1.4.0 — 1.5.0

▶debiandebian/consul< consul 1.4.5+dfsg1-1 (bullseye)

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

HashiCorp Consul Incorrect Access Control vulnerability in github.com/hashicorp/consul↗2024-08-20

▶

OSV

HashiCorp Consul Incorrect Access Control vulnerability↗2023-06-09

▶

GHSA

HashiCorp Consul Incorrect Access Control vulnerability↗2023-06-09

▶

OSV

matrix-synapse vulnerabilities↗2023-05-16

▶

OSV

CVE-2019-12291: HashiCorp Consul 1↗2019-06-06

▶

📋Vendor Advisories

Debian

CVE-2019-12291: consul - HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matc...↗2019

▶