CVE-2020-25864
published 2021-04-20CVE-2020-25864: HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
PriorityP342medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
6.09%
92.5th percentile
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | consul | < consul 1.8.7+dfsg1-2 (bullseye) | consul 1.8.7+dfsg1-2 (bullseye) |
| github.com | hashicorp_consul | >= 0 < 1.7.14 | 1.7.14 |
| github.com | hashicorp_consul | >= 1.8.0 < 1.8.10 | 1.8.10 |
| github.com | hashicorp_consul | >= 1.9.0 < 1.9.5 | 1.9.5 |
| hashicorp | consul | < 1.7.14 | 1.7.14 |
| hashicorp | consul | >= 0 < 1.8.7+dfsg1-2 | 1.8.7+dfsg1-2 |
| hashicorp | consul | >= 1.8.0 < 1.8.10 | 1.8.10 |
| hashicorp | consul | >= 1.9.0 < 1.9.5 | 1.9.5 |
Detection & IOCsextracted from sources · hover to see the quote
url/v1/kv/{{randstr}}%3Fraw
- →Look for GET requests to the Consul KV API endpoint with the '?raw' parameter (URL-encoded as %3Fraw) — this is the attack vector for the XSS payload delivery.
- →Detect responses from the Consul KV raw endpoint that return Content-Type: text/html, which enables XSS payload execution in the browser.
- →Flag HTTP 200 responses from /v1/kv/*?raw that contain script-injection payloads in the body, indicating successful XSS exploitation.
- →Consul versions up to and including 1.9.4 are vulnerable; flag any unpatched instances (fixed in 1.9.5, 1.8.10, and 1.7.14). ↗
- ·Only the Consul server/agent itself is affected when KV raw mode is accessible; the Consul API client library alone is NOT affected. ↗
- ·The XSS is triggered specifically through KV raw mode — deployments that do not expose the Consul UI or raw KV endpoint to untrusted users have reduced exposure. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
consul: specially crafted KV entry could be used to perform a XSS attack
vendor_redhat·2021-04-14·CVSS 6.1
CVE-2020-25864 [MEDIUM] CWE-79 consul: specially crafted KV entry could be used to perform a XSS attack
consul: specially crafted KV entry could be used to perform a XSS attack
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
In consul a specially crafted KV (key/value store) entry could be used by attacker to perform a XSS (Cross Site Scripting) attack when viewed in the raw mode.
Statement: OpenShift Container Platform (OCP) and OpenShift Service Mesh (OSSM) components ship only consul api which could be used for connection to consul service mesh solution, therefore are not affected by this flaw.
Some OpenShift Virtualization components reference consul in go.sum files, however none of the projects or container images depend on or ship consul, therefore are not affected by this f
Debian
CVE-2020-25864: consul - HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mo...
vendor_debian·2020·CVSS 6.1
CVE-2020-25864 [MEDIUM] CVE-2020-25864: consul - HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mo...
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
Scope: local
bullseye: resolved (fixed in 1.8.7+dfsg1-2)
OSV
HashiCorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul
osv·2024-08-20
CVE-2020-25864 HashiCorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul
HashiCorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul
HashiCorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul
OSV
HashiCorp Consul Cross-site Scripting vulnerability
osv·2022-05-24
CVE-2020-25864 [MEDIUM] HashiCorp Consul Cross-site Scripting vulnerability
HashiCorp Consul Cross-site Scripting vulnerability
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
GHSA
HashiCorp Consul Cross-site Scripting vulnerability
ghsa·2022-05-24
CVE-2020-25864 [MEDIUM] CWE-79 HashiCorp Consul Cross-site Scripting vulnerability
HashiCorp Consul Cross-site Scripting vulnerability
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
OSV
CVE-2020-25864: HashiCorp Consul and Consul Enterprise up to version 1
osv·2021-04-20·CVSS 6.1
CVE-2020-25864 [MEDIUM] CVE-2020-25864: HashiCorp Consul and Consul Enterprise up to version 1
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
No detection rules found.
Nuclei
HashiCorp Consul/Consul Enterprise <=1.9.4 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2020-25864 [MEDIUM] HashiCorp Consul/Consul Enterprise <=1.9.4 - Cross-Site Scripting
HashiCorp Consul/Consul Enterprise alert(document.domain)
- |
GET {{BaseURL}}/v1/kv/{{randstr}}%3Fraw HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: header
words:
- text/html
- type: word
part: body_2
words:
- alert(document.domain)
- type: status
status:
- 200
# digest: 490a0046304402207544236c4026fd73ccd7b3241913be7c7c7d77e9f2ef3746e60bd8cd5d10cd53022052e4c0a972c59b556acdfb0ca6337c27df7db0788bbd2b2876bafd97ea5a673f:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368https://security.gentoo.org/glsa/202208-09https://www.hashicorp.com/blog/category/consulhttps://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368https://security.gentoo.org/glsa/202208-09https://www.hashicorp.com/blog/category/consul
2021-04-20
Published