cbcvebase.

Github.Com Hashicorp Consul vulnerabilities

32 known vulnerabilities affecting github.com/hashicorp_consul.

Total CVEs
32
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
HIGH15MEDIUM17

Vulnerabilities

Page 2 of 2
CVE-2023-1297P3MEDIUM≥ 0, < 1.14.5≥ 1.15.0, < 1.15.32023-06-03
CVE-2023-1297 [MEDIUM] CWE-826 Hashicorp Consul vulnerable to denial of service Hashicorp Consul vulnerable to denial of service Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3
ghsaosv
CVE-2020-28053P4MEDIUM≥ 1.2.0, < 1.6.10≥ 1.7.0, < 1.7.10+1 more2024-01-31
CVE-2020-28053 [MEDIUM] CWE-732 Privilege Escalation in HashiCorp Consul Privilege Escalation in HashiCorp Consul HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.
ghsaosv
CVE-2022-24687P4MEDIUM≥ 1.8.0, < 1.9.15≥ 1.10.0, < 1.10.8+1 more2022-02-25
CVE-2022-24687 [MEDIUM] CWE-400 HashiCorp Consul Ingress Gateway Panic Can Shutdown Servers HashiCorp Consul Ingress Gateway Panic Can Shutdown Servers HashiCorp Consul and Consul Enterprise 1.8.0 through 1.9.14, 1.10.7, and 1.11.2 has Uncontrolled Resource Consumption. Clusters with at least one ingress gateway configured may allow a user with `service:write` permission to register a specifically-defined service that can cause the Consul server to panic and shutdown. Versions 1.9.15, 1.10.8, a
ghsaosv
CVE-2021-41803P4HIGH≥ 1.8.1, < 1.11.9≥ 1.12.0, < 1.12.5+1 more2022-09-25
CVE-2021-41803 [HIGH] CWE-862 HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 did not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.
ghsaosv
CVE-2019-9764P4HIGH≥ 0, < 1.4.42022-05-13
CVE-2019-9764 [HIGH] CWE-346 HashiCorp Consul vulnerable to Origin Validation Error HashiCorp Consul vulnerable to Origin Validation Error HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if `verify_server_hostname` were set to false, even when it is actually set to true. This is fixed in 1.4.4.
ghsaosv
CVE-2023-0845P4MEDIUM≥ 1.14.0, < 1.14.52023-03-09
CVE-2023-0845 [MEDIUM] CWE-476 Consul Server Panic when Ingress and API Gateways Configured with Peering Connections Consul Server Panic when Ingress and API Gateways Configured with Peering Connections A vulnerability was identified in Consul and Consul Enterprise (“Consul”) an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. To exploit this vulnerability, an attacker requires access to
ghsaosv
CVE-2024-10005P4HIGH≥ 1.9.0, < 1.20.12024-10-31
CVE-2024-10005 [HIGH] CWE-22 Hashicorp Consul Path Traversal vulnerability Hashicorp Consul Path Traversal vulnerability A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.
ghsaosv
CVE-2024-10006P4MEDIUM≥ 1.9.0, < 1.20.12024-10-31
CVE-2024-10006 [MEDIUM] CWE-116 Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.
ghsaosv
CVE-2020-12797P4MEDIUM≥ 1.6.0, < 1.6.6≥ 1.7.0, < 1.7.42021-06-23
CVE-2020-12797 [MEDIUM] CWE-732 Incorrect Permission Assignment for Critical Resource in Hashicorp Consul Incorrect Permission Assignment for Critical Resource in Hashicorp Consul HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4. ### Specific Go Packages Affected github.com/hashicorp/consul/agent/structs
ghsaosv
CVE-2018-19653P4MEDIUM≥ 0.5.1, < 1.4.12022-05-14
CVE-2018-19653 [MEDIUM] HashiCorp Consul can use cleartext agent-to-agent RPC communication HashiCorp Consul can use cleartext agent-to-agent RPC communication HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the `verify_outgoing` setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.
ghsaosv
CVE-2020-7955P4MEDIUM≥ 1.4.1, < 1.6.32021-07-28
CVE-2020-7955 [MEDIUM] CWE-863 Incorrect Authorization in HashiCorp Consul Incorrect Authorization in HashiCorp Consul HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
ghsaosv
CVE-2024-10086P4MEDIUM≥ 1.4.1, < 1.20.02024-10-31
CVE-2024-10086 [MEDIUM] CWE-79 Hashicorp Consul Cross-site Scripting vulnerability Hashicorp Consul Cross-site Scripting vulnerability A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.
ghsaosv
Github.Com Hashicorp Consul vulnerabilities | cvebase