| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Privilege escalation |
|
| Description |
| + |
HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration when explicitly configured with the /v1/connect/ca/configuration endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh. |
|
| References |
| + |
https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#186-november-19-2020 |
| + |
https://github.com/hashicorp/consul/issues/9240 |
| + |
https://github.com/hashicorp/consul/commit/fd5928fa4ef21f935f4331a422504eecb89d0af5 |
|
| Notes |
|