CVE-2019-9764 — Origin Validation Error in Hashicorp Consul

CWE-346 — Origin Validation Error6 documents4 sources

Severity

7.4HIGHNVD

EPSS

0.2%

top 60.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Consul Hashicorp Consul Debian Consul

Timeline

PublishedMar 26

Latest updateAug 20

Description

HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set to true. This is fixed in 1.4.4.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages3 packages

▶Gogithub.com/hashicorp_consul< 1.4.4

▶NVDhashicorp/consul1.4.3

▶debiandebian/consul

🔴Vulnerability Details

OSV

HashiCorp Consul vulnerable to Origin Validation Error in github.com/hashicorp/consul↗2024-08-20

▶

OSV

HashiCorp Consul vulnerable to Origin Validation Error↗2022-05-13

▶

GHSA

HashiCorp Consul vulnerable to Origin Validation Error↗2022-05-13

▶

OSV

CVE-2019-9764: HashiCorp Consul 1↗2019-03-26

▶

📋Vendor Advisories

Debian

CVE-2019-9764: consul - HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS...↗2019

▶