Github.Com Hashicorp Consul vulnerabilities
32 known vulnerabilities affecting github.com/hashicorp_consul.
Total CVEs
32
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
HIGH15MEDIUM17
Vulnerabilities
Page 2 of 2
CVE-2022-29153HIGHCVSS 7.5PoC≥ 0, < 1.9.17≥ 1.10.0, < 1.10.10+1 more2022-04-20
CVE-2022-29153 [HIGH] CWE-918 Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that HTTP health check endpoints returning an HTTP redirect may be abused as a vector for server-side request forgery (SSRF). This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17
ghsaosv
CVE-2022-24687MEDIUM≥ 1.8.0, < 1.9.15≥ 1.10.0, < 1.10.8+1 more2022-02-25
CVE-2022-24687 [MEDIUM] CWE-400 HashiCorp Consul Ingress Gateway Panic Can Shutdown Servers
HashiCorp Consul Ingress Gateway Panic Can Shutdown Servers
HashiCorp Consul and Consul Enterprise 1.8.0 through 1.9.14, 1.10.7, and 1.11.2 has Uncontrolled Resource Consumption. Clusters with at least one ingress gateway configured may allow a user with `service:write` permission to register a specifically-defined service that can cause the Consul server to panic and shutdown. Versions 1.9.15, 1.10.8, a
ghsaosv
CVE-2020-12758MEDIUM≥ 1.6.0-beta1, < 1.6.6≥ 1.7.0, < 1.7.42022-02-15
CVE-2020-12758 [MEDIUM] CWE-400 Denial of Service (DoS) in HashiCorp Consul
Denial of Service (DoS) in HashiCorp Consul
HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Introduced in 1.6.0, fixed in 1.6.6 and 1.7.4.
### Specific Go Packages Affected
github.com/hashicorp/consul/agent/consul/discoverychain
ghsaosv
CVE-2021-37219HIGH≥ 1.10.1, < 1.10.2≥ 1.9.0, < 1.9.9+1 more2021-09-08
CVE-2021-37219 [HIGH] CWE-295 HashiCorp Consul Privilege Escalation Vulnerability
HashiCorp Consul Privilege Escalation Vulnerability
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.
ghsaosv
CVE-2021-38698MEDIUM≥ 1.10.1, < 1.10.2≥ 1.9.0, < 1.9.9+1 more2021-09-08
CVE-2021-38698 [MEDIUM] CWE-862 HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic.
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic.
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service tr
ghsaosv
CVE-2020-7955MEDIUM≥ 1.4.1, < 1.6.32021-07-28
CVE-2020-7955 [MEDIUM] CWE-863 Incorrect Authorization in HashiCorp Consul
Incorrect Authorization in HashiCorp Consul
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
ghsaosv
CVE-2021-36213HIGH≥ 0, < 1.10.12021-07-19
CVE-2021-36213 [HIGH] HashiCorp Consul L7 deny intention results in an allow action
HashiCorp Consul L7 deny intention results in an allow action
In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action.
ghsaosv
CVE-2021-32574HIGH≥ 0, < 1.10.12021-07-19
CVE-2021-32574 [HIGH] CWE-295 Hashicorp Consul Missing SSL Certificate Validation
Hashicorp Consul Missing SSL Certificate Validation
HashiCorp Consul before 1.10.1 (and Consul Enterprise) has Missing SSL Certificate Validation. xds does not ensure that the Subject Alternative Name of an upstream is validated.
ghsaosv
CVE-2020-12797MEDIUM≥ 1.6.0, < 1.6.6≥ 1.7.0, < 1.7.42021-06-23
CVE-2020-12797 [MEDIUM] CWE-732 Incorrect Permission Assignment for Critical Resource in Hashicorp Consul
Incorrect Permission Assignment for Critical Resource in Hashicorp Consul
HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.
### Specific Go Packages Affected
github.com/hashicorp/consul/agent/structs
ghsaosv
CVE-2020-7219HIGH≥ 0, < 1.6.32021-05-18
CVE-2020-7219 [HIGH] CWE-400 Denial of Service (DoS) in HashiCorp Consul
Denial of Service (DoS) in HashiCorp Consul
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
### Specific Go Packages Affected
github.com/hashicorp/consul/agent/consul
ghsaosv
CVE-2020-13250HIGH≥ 1.2.0, < 1.6.6≥ 1.7.0, < 1.7.42021-05-18
CVE-2020-13250 [HIGH] CWE-770 Allocation of Resources Without Limits or Throttling in Hashicorp Consul
Allocation of Resources Without Limits or Throttling in Hashicorp Consul
HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service.
### Specific Go Packages Affected
github.com/hashicorp/consul/agent/config
### Fix
The vulnerability is fixed in versions 1.6.6 and 1.7.4.
ghsaosv
CVE-2020-13170MEDIUM≥ 1.6.0-beta1, < 1.6.6≥ 1.7.0, < 1.7.42021-05-18
CVE-2020-13170 [MEDIUM] CWE-20 Improper Input Validation in HashiCorp Consul
Improper Input Validation in HashiCorp Consul
HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.
### Specific Go Packages Affected
github.com/hashicorp/consul/agent
ghsaosv
← Previous2 / 2