Search for packages
| purl | pkg:deb/debian/consul@1.8.7%2Bdfsg1-2?distro=bullseye |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2dmf-rj8w-xycm | Denial of Service (DoS) in HashiCorp Consul HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Introduced in 1.6.0, fixed in 1.6.6 and 1.7.4. ### Specific Go Packages Affected github.com/hashicorp/consul/agent/consul/discoverychain |
CVE-2020-12758
GHSA-q2qr-3c2p-9235 |
| VCID-467g-8bds-t3ef | HashiCorp Consul Incorrect Access Control vulnerability HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured. ### Specific Go Packages Affected github.com/hashicorp/consul/acl |
CVE-2019-12291
GHSA-h65h-v7fw-4p38 |
| VCID-4rvd-1dka-vufc | Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers A vulnerability was identified in Consul such that using JWT authentication for service mesh incorrectly allows/denies access regardless of service identities. This vulnerability, CVE-2023-3518, affects Consul 1.16.0 and was fixed in 1.16.1. |
CVE-2023-3518
GHSA-9rhf-q362-77mx |
| VCID-65ru-yj23-qqbr | HashiCorp Consul L7 deny intention results in an allow action In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action. |
CVE-2021-36213
GHSA-8h2g-r292-j8xh |
| VCID-a6jm-xxdn-h3f3 | HashiCorp Consul vulnerable to Origin Validation Error HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if `verify_server_hostname` were set to false, even when it is actually set to true. This is fixed in 1.4.4. |
CVE-2019-9764
GHSA-q7fx-wm2p-qfj8 |
| VCID-cqzz-az3e-kych | Improper Input Validation in HashiCorp Consul HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4. ### Specific Go Packages Affected github.com/hashicorp/consul/agent |
CVE-2020-13170
GHSA-p2j5-3f4c-224r |
| VCID-e8wd-mxwb-rqdj | Missing Authorization in HashiCorp Consul HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0. |
CVE-2022-3920
GHSA-gw2g-hhc9-wgjh |
| VCID-ftvt-9nb3-xue3 | Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst of which could result in denial of service. |
CVE-2020-25864
GHSA-8xmx-h8rq-h94j |
| VCID-gkgb-5g8x-7fgf | Denial of Service (DoS) in HashiCorp Consul HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. ### Specific Go Packages Affected github.com/hashicorp/consul/agent/consul |
CVE-2020-7219
GHSA-23jv-v6qj-3fhh |
| VCID-gsqu-g2y4-a7ap | Privilege Escalation in HashiCorp Consul HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6. |
CVE-2020-28053
GHSA-6m72-467w-94rh |
| VCID-jm2d-ejbf-qfhz | Allocation of Resources Without Limits or Throttling in Hashicorp Consul HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. ### Specific Go Packages Affected github.com/hashicorp/consul/agent/config ### Fix The vulnerability is fixed in versions 1.6.6 and 1.7.4. |
CVE-2020-13250
GHSA-rqjq-mrgx-85hp |
| VCID-kf3v-xwjs-ube6 | HashiCorp Consul Access Restriction Bypass HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "<hidden>" as its secret is used in unusual circumstances. |
CVE-2019-8336
GHSA-fhm8-cxcv-pwvc |
| VCID-mv9z-hxmr-skfp | Denial of service in HashiCorp Consul HashiCorp Consul Enterprise versions 1.7.0 up to 1.7.8 and 1.8.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5. |
CVE-2020-25201
GHSA-496g-fr33-whrf |
| VCID-pet2-hhx7-g7fc | HashiCorp Consul can use cleartext agent-to-agent RPC communication HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the `verify_outgoing` setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade. |
CVE-2018-19653
GHSA-4qvx-qq5w-695p |
| VCID-pqcu-293u-vbhp | Hashicorp Consul allows user with service:write permissions to patch remote proxy instances Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies. |
CVE-2023-2816
GHSA-rqjq-ww83-wv5c |
| VCID-r7p6-mxej-uqak | Consul Server Panic when Ingress and API Gateways Configured with Peering Connections A vulnerability was identified in Consul and Consul Enterprise (“Consul”) an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. To exploit this vulnerability, an attacker requires access to an ACL token with service:write permissions, and there needs to be at least one running ingress or API gateway that is configured to route traffic to an upstream service. |
CVE-2023-0845
GHSA-wj6x-hcc2-f32j |
| VCID-tfrv-ak5x-5qg7 | Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst of which could result in denial of service. |
CVE-2021-28156
|
| VCID-th2f-96u1-syhg | Incorrect Permission Assignment for Critical Resource in Hashicorp Consul HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4. ### Specific Go Packages Affected github.com/hashicorp/consul/agent/structs |
CVE-2020-12797
GHSA-hwqm-x785-qh8p |
| VCID-tn8b-w652-1ydg | Hashicorp Consul vulnerable to denial of service Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3 |
CVE-2023-1297
GHSA-c57c-7hrj-6q6v |
| VCID-uxvb-etj2-zud6 | HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace. |
CVE-2021-41805
|
| VCID-xzyq-wm1j-dkcu | Incorrect Authorization in HashiCorp Consul HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3. |
CVE-2020-7955
GHSA-r9w6-rhh9-7v53 |