Github.Com Hashicorp Consul vulnerabilities
32 known vulnerabilities affecting github.com/hashicorp_consul.
Total CVEs
32
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
HIGH15MEDIUM17
Vulnerabilities
Page 2 of 2
CVE-2023-1297P3MEDIUM≥ 0, < 1.14.5≥ 1.15.0, < 1.15.32023-06-03
CVE-2023-1297 [MEDIUM] CWE-826 Hashicorp Consul vulnerable to denial of service
Hashicorp Consul vulnerable to denial of service
Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3
ghsaosv
CVE-2020-28053P4MEDIUM≥ 1.2.0, < 1.6.10≥ 1.7.0, < 1.7.10+1 more2024-01-31
CVE-2020-28053 [MEDIUM] CWE-732 Privilege Escalation in HashiCorp Consul
Privilege Escalation in HashiCorp Consul
HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.
ghsaosv
CVE-2022-24687P4MEDIUM≥ 1.8.0, < 1.9.15≥ 1.10.0, < 1.10.8+1 more2022-02-25
CVE-2022-24687 [MEDIUM] CWE-400 HashiCorp Consul Ingress Gateway Panic Can Shutdown Servers
HashiCorp Consul Ingress Gateway Panic Can Shutdown Servers
HashiCorp Consul and Consul Enterprise 1.8.0 through 1.9.14, 1.10.7, and 1.11.2 has Uncontrolled Resource Consumption. Clusters with at least one ingress gateway configured may allow a user with `service:write` permission to register a specifically-defined service that can cause the Consul server to panic and shutdown. Versions 1.9.15, 1.10.8, a
ghsaosv
CVE-2021-41803P4HIGH≥ 1.8.1, < 1.11.9≥ 1.12.0, < 1.12.5+1 more2022-09-25
CVE-2021-41803 [HIGH] CWE-862 HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions
HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 did not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.
ghsaosv
CVE-2019-9764P4HIGH≥ 0, < 1.4.42022-05-13
CVE-2019-9764 [HIGH] CWE-346 HashiCorp Consul vulnerable to Origin Validation Error
HashiCorp Consul vulnerable to Origin Validation Error
HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if `verify_server_hostname` were set to false, even when it is actually set to true. This is fixed in 1.4.4.
ghsaosv
CVE-2023-0845P4MEDIUM≥ 1.14.0, < 1.14.52023-03-09
CVE-2023-0845 [MEDIUM] CWE-476 Consul Server Panic when Ingress and API Gateways Configured with Peering Connections
Consul Server Panic when Ingress and API Gateways Configured with Peering Connections
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. To exploit this vulnerability, an attacker requires access to
ghsaosv
CVE-2024-10005P4HIGH≥ 1.9.0, < 1.20.12024-10-31
CVE-2024-10005 [HIGH] CWE-22 Hashicorp Consul Path Traversal vulnerability
Hashicorp Consul Path Traversal vulnerability
A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.
ghsaosv
CVE-2024-10006P4MEDIUM≥ 1.9.0, < 1.20.12024-10-31
CVE-2024-10006 [MEDIUM] CWE-116 Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability
Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability
A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.
ghsaosv
CVE-2020-12797P4MEDIUM≥ 1.6.0, < 1.6.6≥ 1.7.0, < 1.7.42021-06-23
CVE-2020-12797 [MEDIUM] CWE-732 Incorrect Permission Assignment for Critical Resource in Hashicorp Consul
Incorrect Permission Assignment for Critical Resource in Hashicorp Consul
HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.
### Specific Go Packages Affected
github.com/hashicorp/consul/agent/structs
ghsaosv
CVE-2018-19653P4MEDIUM≥ 0.5.1, < 1.4.12022-05-14
CVE-2018-19653 [MEDIUM] HashiCorp Consul can use cleartext agent-to-agent RPC communication
HashiCorp Consul can use cleartext agent-to-agent RPC communication
HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the `verify_outgoing` setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.
ghsaosv
CVE-2020-7955P4MEDIUM≥ 1.4.1, < 1.6.32021-07-28
CVE-2020-7955 [MEDIUM] CWE-863 Incorrect Authorization in HashiCorp Consul
Incorrect Authorization in HashiCorp Consul
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
ghsaosv
CVE-2024-10086P4MEDIUM≥ 1.4.1, < 1.20.02024-10-31
CVE-2024-10086 [MEDIUM] CWE-79 Hashicorp Consul Cross-site Scripting vulnerability
Hashicorp Consul Cross-site Scripting vulnerability
A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.
ghsaosv
← Previous2 / 2