RSS   Vulnerabilities for 'Consul'   RSS

2022-04-19
 
CVE-2022-29153

CWE-918
 

 
HashiCorp Consul and Consul Enterprise through 2022-04-12 allow SSRF.

 
2022-02-24
 
CVE-2022-24687

CWE-400
 

 
HashiCorp Consul and Consul Enterprise 1.8.0 through 1.9.14, 1.10.7, and 1.11.2 has Uncontrolled Resource Consumption.

 
2021-12-12
 
CVE-2021-41805

CWE-863
 

 
HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.

 
2021-09-07
 
CVE-2021-37219

CWE-295
 

 
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.

 
 
CVE-2021-38698

CWE-863
 

 
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.

 
2021-04-20
 
CVE-2020-25864

CWE-79
 

 
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.

 
 
CVE-2021-28156

NVD-CWE-noinfo
 

 
HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10.

 
2020-12-08
 
CVE-2020-29564

NVD-CWE-Other
 

 
The official Consul Docker images 0.7.1 through 1.4.2 contain a blank password for a root user. System using the Consul Docker container deployed by affected versions of the Docker image may allow a remote attacker to achieve root access with a blank password.

 
2020-06-11
 
CVE-2020-13250

CWE-119
 

 
HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4.

 
 
CVE-2020-13170

CWE-20
 

 
HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.

 


Copyright 2024, cxsecurity.com

 

Back to Top