CVE-2020-7219
published 2020-01-31CVE-2020-7219: HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of…
PriorityP337high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.01%
78.4th percentile
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | consul | < consul 1.7.0+dfsg1-1 (bullseye) | consul 1.7.0+dfsg1-1 (bullseye) |
| github.com | hashicorp_consul | >= 0 < 1.6.3 | 1.6.3 |
| hashicorp | consul | < 1.6.2 | 1.6.2 |
| hashicorp | consul | >= 0 < 1.7.0+dfsg1-1 | 1.7.0+dfsg1-1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Denial of Service (DoS) in HashiCorp Consul in github.com/hashicorp/consul
osv·2024-08-21
CVE-2020-7219 Denial of Service (DoS) in HashiCorp Consul in github.com/hashicorp/consul
Denial of Service (DoS) in HashiCorp Consul in github.com/hashicorp/consul
Denial of Service (DoS) in HashiCorp Consul in github.com/hashicorp/consul
GHSA
Denial of Service (DoS) in HashiCorp Consul
ghsa·2021-05-18
CVE-2020-7219 [HIGH] CWE-400 Denial of Service (DoS) in HashiCorp Consul
Denial of Service (DoS) in HashiCorp Consul
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
### Specific Go Packages Affected
github.com/hashicorp/consul/agent/consul
OSV
Denial of Service (DoS) in HashiCorp Consul
osv·2021-05-18
CVE-2020-7219 [HIGH] Denial of Service (DoS) in HashiCorp Consul
Denial of Service (DoS) in HashiCorp Consul
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
### Specific Go Packages Affected
github.com/hashicorp/consul/agent/consul
OSV
CVE-2020-7219: HashiCorp Consul and Consul Enterprise up to 1
osv·2020-01-31·CVSS 7.5
CVE-2020-7219 [HIGH] CVE-2020-7219: HashiCorp Consul and Consul Enterprise up to 1
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
Red Hat
consul: HTTP/RPC Services Allow Unbounded Resource Usage
vendor_redhat·2020-01-28·CVSS 7.5
CVE-2020-7219 [HIGH] CWE-400 consul: HTTP/RPC Services Allow Unbounded Resource Usage
consul: HTTP/RPC Services Allow Unbounded Resource Usage
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
An unbound resource consumption vulnerability was found in the API of consul. A remote attacker with a connection to the consul agent servers could abuse this flaw to cause a denial of service (DoS) by repeatedly sending TLS connect attempts over HTTP or RPC, possibly causing an application crash.
Mitigation: Enforce network connection limits on Consul server agents by using the following iptables rule:
iptables -A INPUT -p tcp --syn --dport 8300 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset.
Package: servicemesh (OpenShift Service
Debian
CVE-2020-7219: consul - HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unb...
vendor_debian·2020·CVSS 7.5
CVE-2020-7219 [HIGH] CVE-2020-7219: consul - HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unb...
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
Scope: local
bullseye: resolved (fixed in 1.7.0+dfsg1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-7219 consul: HTTP/RPC Services Allow Unbounded Resource Usage
bugzilla·2020-02-21·CVSS 7.5
CVE-2020-7219 [HIGH] CVE-2020-7219 consul: HTTP/RPC Services Allow Unbounded Resource Usage
CVE-2020-7219 consul: HTTP/RPC Services Allow Unbounded Resource Usage
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
Upstream issue:
https://github.com/hashicorp/consul/issues/7159
Discussion:
Created consul tracking bugs for this issue:
Affects: epel-6 [bug 1805868]
Affects: fedora-30 [bug 1805867]
---
External References:
https://github.com/hashicorp/consul/issues/7159
---
Mitigation:
Enforce network connection limits on Consul server agents by using the following iptables rule:
iptables -A INPUT -p tcp --syn --dport 8300 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset.
---
Working with Kevin, whilst the go.mod file is incl
Bugzilla
CVE-2020-7219 consul: HTTP/RPC Services Allow Unbounded Resource Usage [epel-6]
bugzilla·2020-02-21·CVSS 7.5
CVE-2020-7219 [HIGH] CVE-2020-7219 consul: HTTP/RPC Services Allow Unbounded Resource Usage [epel-6]
CVE-2020-7219 consul: HTTP/RPC Services Allow Unbounded Resource Usage [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fe
Bugzilla
CVE-2020-7219 consul: HTTP/RPC Services Allow Unbounded Resource Usage [fedora-30]
bugzilla·2020-02-21·CVSS 7.5
CVE-2020-7219 [HIGH] CVE-2020-7219 consul: HTTP/RPC Services Allow Unbounded Resource Usage [fedora-30]
CVE-2020-7219 consul: HTTP/RPC Services Allow Unbounded Resource Usage [fedora-30]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-30.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for t
2020-01-31
Published