HashiCorp Consul 1.6.0

CPE Details

HashiCorp Consul 1.6.0
1.6.0
2021-02-09 16:57 +00:00
2021-02-09 16:57 +00:00

Alerte pour un CPE

Stay informed of any changes for a specific CPE.
Alert management

CPE Name: cpe:2.3:a:hashicorp:consul:1.6.0:*:*:*:-:*:*:*

Informations

Vendor

hashicorp

Product

consul

Version

1.6.0

Software Edition

-

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2023-0845 2023-03-09 15:14 +00:00 Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.
6.5
MEDIUM
CVE-2022-40716 2022-09-22 22:00 +00:00 HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."
6.5
MEDIUM
CVE-2022-29153 2022-04-18 22:00 +00:00 HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
7.5
HIGH
CVE-2021-38698 2021-09-07 09:45 +00:00 HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.
6.5
MEDIUM
CVE-2021-37219 2021-09-07 09:33 +00:00 HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.
8.8
HIGH
CVE-2021-32574 2021-07-17 15:28 +00:00 HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.
7.5
HIGH
CVE-2020-25864 2021-04-20 11:07 +00:00 HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
6.1
MEDIUM
CVE-2021-3121 2021-01-11 04:57 +00:00 An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
8.6
HIGH
CVE-2020-28053 2020-11-23 12:11 +00:00 HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.
6.5
MEDIUM
CVE-2020-13170 2020-06-11 17:41 +00:00 HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.
7.5
HIGH
CVE-2020-12797 2020-06-11 17:37 +00:00 HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.
5.3
MEDIUM
CVE-2020-12758 2020-06-11 17:23 +00:00 HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Introduced in 1.6.0, fixed in 1.6.6 and 1.7.4.
7.5
HIGH
CVE-2020-13250 2020-06-11 17:16 +00:00 HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4.
7.5
HIGH
CVE-2020-7219 2020-01-31 11:39 +00:00 HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
7.5
HIGH
CVE-2020-7955 2020-01-31 11:19 +00:00 HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
5.3
MEDIUM