Search for packages
| purl | pkg:deb/debian/consul@0?distro=bullseye |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-4rvd-1dka-vufc | Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers A vulnerability was identified in Consul such that using JWT authentication for service mesh incorrectly allows/denies access regardless of service identities. This vulnerability, CVE-2023-3518, affects Consul 1.16.0 and was fixed in 1.16.1. |
CVE-2023-3518
GHSA-9rhf-q362-77mx |
| VCID-65ru-yj23-qqbr | HashiCorp Consul L7 deny intention results in an allow action In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action. |
CVE-2021-36213
GHSA-8h2g-r292-j8xh |
| VCID-a6jm-xxdn-h3f3 | HashiCorp Consul vulnerable to Origin Validation Error HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if `verify_server_hostname` were set to false, even when it is actually set to true. This is fixed in 1.4.4. |
CVE-2019-9764
GHSA-q7fx-wm2p-qfj8 |
| VCID-e8wd-mxwb-rqdj | Missing Authorization in HashiCorp Consul HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0. |
CVE-2022-3920
GHSA-gw2g-hhc9-wgjh |
| VCID-kf3v-xwjs-ube6 | HashiCorp Consul Access Restriction Bypass HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "<hidden>" as its secret is used in unusual circumstances. |
CVE-2019-8336
GHSA-fhm8-cxcv-pwvc |
| VCID-pqcu-293u-vbhp | Hashicorp Consul allows user with service:write permissions to patch remote proxy instances Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies. |
CVE-2023-2816
GHSA-rqjq-ww83-wv5c |
| VCID-r7p6-mxej-uqak | Consul Server Panic when Ingress and API Gateways Configured with Peering Connections A vulnerability was identified in Consul and Consul Enterprise (“Consul”) an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. To exploit this vulnerability, an attacker requires access to an ACL token with service:write permissions, and there needs to be at least one running ingress or API gateway that is configured to route traffic to an upstream service. |
CVE-2023-0845
GHSA-wj6x-hcc2-f32j |
| VCID-tfrv-ak5x-5qg7 | Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst of which could result in denial of service. |
CVE-2021-28156
|
| VCID-tn8b-w652-1ydg | Hashicorp Consul vulnerable to denial of service Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3 |
CVE-2023-1297
GHSA-c57c-7hrj-6q6v |
| VCID-uxvb-etj2-zud6 | HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace. |
CVE-2021-41805
|