CVE-2020-7955 — Incorrect Authorization in Hashicorp Consul

CWE-863 — Incorrect Authorization CWE-841 — Improper Enforcement of Behavioral Workflow10 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 43.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Consul Github.com Hashicorp Consul Debian Consul

Timeline

PublishedJan 31

Latest updateAug 21

Description

HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDhashicorp/consul1.4.1 — 1.6.2

▶Gogithub.com/hashicorp_consul1.4.1 — 1.6.3

▶Debianhashicorp/consul< 1.7.0+dfsg1-1

▶debiandebian/consul< consul 1.7.0+dfsg1-1 (bullseye)

🔴Vulnerability Details

OSV

Incorrect Authorization in HashiCorp Consul in github.com/hashicorp/consul↗2024-08-21

▶

GHSA

Incorrect Authorization in HashiCorp Consul↗2021-07-28

▶

OSV

Incorrect Authorization in HashiCorp Consul↗2021-07-28

▶

OSV

CVE-2020-7955: HashiCorp Consul and Consul Enterprise 1↗2020-01-31

▶

📋Vendor Advisories

Red Hat

consul: Missing access control in HTTP API endpoints↗2020-01-29

▶

Debian

CVE-2020-7955: consul - HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enf...↗2020

▶

💬Community

Bugzilla

CVE-2020-7955 consul: Missing access control in HTTP API endpoints [fedora-30]↗2020-02-21

▶

Bugzilla

CVE-2020-7955 consul: Missing access control in HTTP API endpoints [epel-6]↗2020-02-21

▶

Bugzilla

CVE-2020-7955 consul: Missing access control in HTTP API endpoints↗2020-02-21

▶