consul

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A tool for service discovery, monitoring and configuration.
Version 1.10.3-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2360 1.10.1-1 1.10.2-1 High Fixed
AVG-2171 1.9.7-1 1.9.8-1 Medium Fixed
AVG-1830 1.9.4-1 Medium Not affected
AVG-1829 1.9.4-1 1.9.5-1 Medium Fixed
AVG-1295 1.7.0-1 1.8.4-1 Medium Not affected
AVG-1294 1.7.4-1 1.9.1-1 Medium Fixed FS#68723
Issue Group Severity Remote Type Description
CVE-2021-38698 AVG-2360 Medium Yes Information disclosure
In HashiCorp Consul before version 1.10.2, the Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic.
CVE-2021-37219 AVG-2360 High Yes Privilege escalation
In HashiCorp Consul before version 1.10.2, the Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only...
CVE-2021-36213 AVG-2171 Medium Yes Access restriction bypass
In HashiCorp Consul before version 1.9.8, xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action.
CVE-2021-32574 AVG-2171 Low Yes Certificate verification bypass
HashiCorp Consul before version 1.9.8 does not validate SSL certificates correctly: xds does not ensure that the Subject Alternative Name of an upstream is...
CVE-2021-28156 AVG-1830 Medium Yes Access restriction bypass
A vulnerability was identified in Consul Enterprise version 1.8.0 up to version 1.9.4 where a crafted endpoint URL could be used to bypass the audit log....
CVE-2020-28053 AVG-1294 Medium Yes Privilege escalation
HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key...
CVE-2020-25864 AVG-1829 Medium Yes Cross-site scripting
A vulnerability was identified in Consul and Consul Enterprise ("Consul") up to version 1.9.4 where a specially crafted KV entry could be used to perform a...
CVE-2020-25201 AVG-1295 Medium Yes Denial of service
HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 allowed operators with service:write ACL permissions to write a malicious config entry that causes...

Advisories

Date Advisory Group Severity Type
27 Jul 2021 ASA-202107-69 AVG-2171 Medium multiple issues