CVE-2020-7955
published 2020-01-31CVE-2020-7955: HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended…
PriorityP425medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
1.41%
69.3th percentile
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | consul | < consul 1.7.0+dfsg1-1 (bullseye) | consul 1.7.0+dfsg1-1 (bullseye) |
| github.com | hashicorp_consul | >= 1.4.1 < 1.6.3 | 1.6.3 |
| hashicorp | consul | >= 0 < 1.7.0+dfsg1-1 | 1.7.0+dfsg1-1 |
| hashicorp | consul | >= 1.4.1 < 1.6.2 | 1.6.2 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Incorrect Authorization in HashiCorp Consul in github.com/hashicorp/consul
osv·2024-08-21
CVE-2020-7955 Incorrect Authorization in HashiCorp Consul in github.com/hashicorp/consul
Incorrect Authorization in HashiCorp Consul in github.com/hashicorp/consul
Incorrect Authorization in HashiCorp Consul in github.com/hashicorp/consul
GHSA
Incorrect Authorization in HashiCorp Consul
ghsa·2021-07-28
CVE-2020-7955 [MEDIUM] CWE-863 Incorrect Authorization in HashiCorp Consul
Incorrect Authorization in HashiCorp Consul
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
OSV
Incorrect Authorization in HashiCorp Consul
osv·2021-07-28
CVE-2020-7955 [MEDIUM] Incorrect Authorization in HashiCorp Consul
Incorrect Authorization in HashiCorp Consul
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
OSV
CVE-2020-7955: HashiCorp Consul and Consul Enterprise 1
osv·2020-01-31·CVSS 5.3
CVE-2020-7955 [MEDIUM] CVE-2020-7955: HashiCorp Consul and Consul Enterprise 1
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
Red Hat
consul: Missing access control in HTTP API endpoints
vendor_redhat·2020-01-29·CVSS 5.3
CVE-2020-7955 [MEDIUM] CWE-841 consul: Missing access control in HTTP API endpoints
consul: Missing access control in HTTP API endpoints
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
Package: servicemesh (OpenShift Service Mesh 1) - Not affected
Package: servicemesh-operator (OpenShift Service Mesh 1) - Not affected
Package: servicemesh-prometheus (OpenShift Service Mesh 1) - Not affected
Package: consul-client (Red Hat Fuse 7) - Not affected
Debian
CVE-2020-7955: consul - HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enf...
vendor_debian·2020·CVSS 5.3
CVE-2020-7955 [MEDIUM] CVE-2020-7955: consul - HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enf...
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
Scope: local
bullseye: resolved (fixed in 1.7.0+dfsg1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-7955 consul: Missing access control in HTTP API endpoints [fedora-30]
bugzilla·2020-02-21·CVSS 5.3
CVE-2020-7955 [MEDIUM] CVE-2020-7955 consul: Missing access control in HTTP API endpoints [fedora-30]
CVE-2020-7955 consul: Missing access control in HTTP API endpoints [fedora-30]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-30.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the '
Bugzilla
CVE-2020-7955 consul: Missing access control in HTTP API endpoints [epel-6]
bugzilla·2020-02-21·CVSS 5.3
CVE-2020-7955 [MEDIUM] CVE-2020-7955 consul: Missing access control in HTTP API endpoints [epel-6]
CVE-2020-7955 consul: Missing access control in HTTP API endpoints [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg
Bugzilla
CVE-2020-7955 consul: Missing access control in HTTP API endpoints
bugzilla·2020-02-21·CVSS 5.3
CVE-2020-7955 [MEDIUM] CVE-2020-7955 consul: Missing access control in HTTP API endpoints
CVE-2020-7955 consul: Missing access control in HTTP API endpoints
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
Upstream issue:
https://github.com/hashicorp/consul/issues/7160
Discussion:
Created consul tracking bugs for this issue:
Affects: epel-6 [bug 1805876]
Affects: fedora-30 [bug 1805877]
---
Whilst OpenShift ServiceMesh does package consul, it is not a vulnerable version (packages v1.1.0 and v1.3.0).
The vulnerable HTTP API endpoint (v1/agent/health/service/*) was only added in releases of consul starting from v1.4.1.
Ref commit which includes the API endpoint: https://github.com/hashicorp/consul/commit/4f62a3b5285cef13f25d162f267
2020-01-31
Published