CVE-2020-25201 - log back

CVE-2020-25201 edited at 23 Nov 2020 17:34:32
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 allowed operators with service:write ACL permissions to write a malicious config entry that causes infinite raft writes due to issues with the namespace replication logic. This can lead to an operator with access to one namespace to be able to temporarily delete a doppelgänger configuration in another namespace they should not have access to modify.
References
+ https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#185-october-23-2020
+ https://github.com/hashicorp/consul/pull/9024
+ https://github.com/hashicorp/consul/commit/58387fef0a8240d0457001bb2bac075796775e11
Notes
CVE-2020-25201 created at 23 Nov 2020 17:24:28